Preamble
Workist offers its customers web-based access to its AI-supported process automation platform (“Platform“) as part of a software-as-a-service solution. This enables the Customer to automate repetitive processes in the processing of documents. This contract including its appendices Privacy Policy for the Workist Platform and Data Processing Agreement governs the contractual relationship between Workist and the Customer regarding the use of the IT infrastructure.
1. Terms of the Customer, Subject-Matter and Conclusion of the Agreement
1.1 The Agreement on the use of the platform can be concluded either by signing this Agreement in written form or by registering on the platform. The registration is carried out by an employee who is sufficiently authorized by the Customer.
1.2 The registration is carried out by filling in a form, in particular by filling in the Order Form according to Appendix 1, of various data. Upon completion of the registration process, the Customer receives the access data for the platform.
1.3 Workist reserves the right to ask for appropriate information and to demand proof that the Customer is not a consumer according to Sec. 13 BGB (German Civil Code).
1.4 By completing the registration process or sending the Agreement the Customer makes a legally binding request to Workist to conclude an Agreement. An Agreement between Workist and the Customer is only concluded when Workist has accepted the offer. As confirmation of this the Customer receives either an e-mail or access to the platform is activated for him.
1.5 A Customer is entitled to register several users in accordance with Appendix 1. Each user is assigned a separate account.
1.6 The Customer’s general terms and conditions only become part of the Agreement if this has been explicitly agreed in written form.
1.7 The services offered by Workist are intended exclusively for entrepreneurs within the meaning of Sec. 14 BGB.ect-Matter and Conclusion of the Agreement
2. Services of Workist
2.1 Workist provides the Customer access to the Platform via the internet for a limited period of time during the term of the Agreement. The exact scope of the services to be provided by Workist can be found in the description of services in Appendix 1. Beyond the agreed services the Customer has no claim to a specific arrangement or specific functionalities of the Platform.
2.2 Operation and maintenance of the Platform is the responsibility of Workist. The Customer is responsible for providing for internet access and any hardware (e.g. router, smart device) or software (e.g. browser, plug-ins, apps) that may be required for access to the Platform at the Customer’s premises. The Customer has no right to claim access to the source codes of the platform provided by Workist. The Customer is responsible for the use and configuration of the Platform.
2.3 The average availability of the Platform is 99% on an annual average. Excluded from this is necessary planned maintenance work as well as disturbances which are not within Workist’s sphere of influence, in particular force majeure. If possible, Workist will inform the Customer about planned maintenance work in reasonable time in advance in text form to the contact person named to Workist in the Order Form. However, Workist expressly reserves the right, if necessary, to carry out unannounced maintenance work, especially if this is necessary for data and operational security.
2.4 Workist performs daily backups of the platform and the data stored by the Customer, which are kept for three days. An individual check of the correctness and completeness of the data backups is not carried out and Workist has no such contractual obligation.
2.5 Workist provides the Customer with a documentation of the Platform as well as instructions for its use electronically in German and/or English language online. The Customer is not entitled to edit, publish, broadcast or make publicly available the documentation or instructions for use.
2.6 Workist is entitled to employ subcontractors to assist with its performance of services under this Agreement at its own discretion.
2.7 Workist is entitled but not obliged to extend and develop the functional scope of the Platform. Workist reserves the right to offer extensions and developments only for payment of an additional fee. If the Customer purchases an extension or development for an additional fee by concluding a corresponding supplementary arrangement, the provisions of this Agreement apply accordingly to this purchase. If Workist makes extended or additional functions available free of charge after conclusion of the Agreement, these functions provided are considered to be a voluntary service of Workist.
2.8 Workist can change the functional scope of the Platform at any time to an extent that is reasonable for the Customer. The change is particularly reasonable if it becomes necessary for good cause – for example due to disruptions in the provision of services by subcontractors or for safety reasons – and the performance characteristics defined in the service description are essentially retained as well as the main performance obligations of Workist. If the changes do not exclusively concern extensions of the function or not only insignificant components of the services to be provided by Workist, Workist will inform the Customer about the change at least four weeks before it comes into effect by e-mail.
2.9 Workist is entitled to block the Customer’s access to the Platform if
– there are indications that the Customer’s login data has been or will be misused or that the login data has been or will be given to an unauthorized third party or that login data is being used by more than one natural person;
– there are indications that third parties have otherwise gained access to the IT infrastructure provided to the Customer;
– the blocking is necessary for technical reasons;
– Workist is obliged to block the access due to applicable laws or by court or by official – authorities;
– the Customer is more than two weeks in delay of payment of the agreed fee within the meaning of clause 5of the agreement;
– the Customer has entered incorrect or invalid contact details and communication between Workist and the Customer is no longer possible;
– the Customer has deposited incorrect bank account details and a regular performance of the Customer’s performance obligations is not guaranteed.
Workist shall notify the Customer of the blocking at the latest one working day before the blocking takes effect in text or written form, provided that the notification is reasonable and compatible with the purpose of the blocking, balancing the interests of both parties.
3. Obligations of the Customer
3.1 The Customer must keep the login data to the platform in a safe place and may only make them available to authorized employees. The Customer undertakes to oblige his employees to handle the login data confidentially and to inform Workist without undue delay if there is any suspicion that the login data could have become known to unauthorized persons. Furthermore, the Customer undertakes to observe all security measures, functional and other restrictions of the Platform. In particular the Customer is not permitted to remove, overcome, deactivate or otherwise circumvent protection or authentication mechanisms or use the Platform for purposes other than those intended or expressly mentioned in Appendix 1; in particular, the Customer is not permitted to make the Platform available to third parties.
3.2 The Customer has to back up his data himself regularly and according to the risk, as far as this is technically possible for him. This applies both to data on the Customer’s local systems and to data that the Customer stores on the Platform provided by Workist.
3.3 In the section of the Order Form or the registration process the Customer designates to Workist a contact person in his company who is authorized to receive and provide legally binding declarations in connection with the Agreement with Workist.
3.4 The Customer grants to Workist a non-exclusive license without limitation in time or place to all content which he transfers to Workist’s servers in the context of the use of the Platform, to use the content to the extent necessary to perform the agreement with the Customer, in particular to copy the content and make it accessible to third parties according to the Customer’s settings. Workist is entitled to grant sub-licenses to its sub-contractors in performance to the extent necessary for the performance of the agreement. Furthermore, the license is not transferable. Workist is entitled to retain Customer content beyond the duration of the Agreement insofar as this is technically or legally necessary. In particular Workist is authorized to keep backup copies of the contents provided by the Customer and to store temporarily or permanently such information which is required for accounting, documentation and billing purposes.
3.5 The Customer guarantees that he will take note of all applicable legal regulations, in particular copyright and data protection law, when using the Platform. The Customer indemnifies Workist from all claims of third parties which these asserts against Workist because of the use of the platform by the Customer. Workist will inform the Customer without undue delay of any claims asserted by third parties and provide the information and documents necessary for defense on request. In addition, Workist will either let the Customer defend himself or will do so in consultation with the Customer. In particular Workist will neither acknowledge nor put claims asserted by third parties beyond dispute without consultation with the Customer. The provisions of this clause apply accordingly to contractual penalties as well as fines and administrative fines imposed by court or official authorities, insofar as the Customer is responsible for them.
3.6 The Customer should – within the limits of what is technically reasonable and possible – ensure that the normal business operations of the Customer continue to function properly, even if the Platform is not available, regardless of whether this is due to a fault of Workist or the Customer.
3. Obligations of the Customer
3.1 The Customer must keep the login data to the platform in a safe place and may only make them available to authorized employees. The Customer undertakes to oblige his employees to handle the login data confidentially and to inform Workist without undue delay if there is any suspicion that the login data could have become known to unauthorized persons. Furthermore, the Customer undertakes to observe all security measures, functional and other restrictions of the Platform. In particular the Customer is not permitted to remove, overcome, deactivate or otherwise circumvent protection or authentication mechanisms or use the Platform for purposes other than those intended or expressly mentioned in Appendix 1; in particular, the Customer is not permitted to make the Platform available to third parties.
3.2 The Customer has to back up his data himself regularly and according to the risk, as far as this is technically possible for him. This applies both to data on the Customer’s local systems and to data that the Customer stores on the Platform provided by Workist.
3.3 In the section of the Order Form or the registration process the Customer designates to Workist a contact person in his company who is authorized to receive and provide legally binding declarations in connection with the Agreement with Workist.
3.4 The Customer grants to Workist a non-exclusive license without limitation in time or place to all content which he transfers to Workist’s servers in the context of the use of the Platform, to use the content to the extent necessary to perform the agreement with the Customer, in particular to copy the content and make it accessible to third parties according to the Customer’s settings. Workist is entitled to grant sub-licenses to its sub-contractors in performance to the extent necessary for the performance of the agreement. Furthermore, the license is not transferable. Workist is entitled to retain Customer content beyond the duration of the Agreement insofar as this is technically or legally necessary. In particular Workist is authorized to keep backup copies of the contents provided by the Customer and to store temporarily or permanently such information which is required for accounting, documentation and billing purposes.
3.5 The Customer guarantees that he will take note of all applicable legal regulations, in particular copyright and data protection law, when using the Platform. The Customer indemnifies Workist from all claims of third parties which these asserts against Workist because of the use of the platform by the Customer. Workist will inform the Customer without undue delay of any claims asserted by third parties and provide the information and documents necessary for defense on request. In addition, Workist will either let the Customer defend himself or will do so in consultation with the Customer. In particular Workist will neither acknowledge nor put claims asserted by third parties beyond dispute without consultation with the Customer. The provisions of this clause apply accordingly to contractual penalties as well as fines and administrative fines imposed by court or official authorities, insofar as the Customer is responsible for them.
3.6 The Customer should – within the limits of what is technically reasonable and possible – ensure that the normal business operations of the Customer continue to function properly, even if the Platform is not available, regardless of whether this is due to a fault of Workist or the Customer.
4. Licenses
4.1 Upon the commencement of the Agreement Workist grants to the Customer the non-exclusive, worldwide, non-transferable and non-sub-licensable license, limited to the term of the agreement, to use the Platform in accordance with the Agreement.
4.2 Excluded from the granting of licenses are components of the platform that are subject to third-party rights and in particular open-source licenses that are recognizable to the Customer. In particular those components which are disclosed by Workist within the Platform or in text files supplied as third-party content are considered recognizable.
5. Fees
5.1 The Customer pays Workist the fee agreed in the Order Form for the use of the Platform.
5.2 Unless otherwise stated, the fees apply monthly and net plus applicable value added tax.
5.3 Invoices are issued as specified in the Order Form. The fees invoiced are due upon invoicing.
6. Warranty
6.1 For cost free services Workist provides warranty according to the applicable statutory provisions.
6.2 Otherwise Workist provides warranty for defects in the provision of the Platform exclusively in accordance with the following provisions.
6.3 Defects are significant deviations from the contractually agreed functional scope of the Platform.
6.4 If the services to be provided by Workist under this Agreement are defective, Workist will, within a reasonable period and after receipt of a written (e-mail sufficient) notice of defect by the Customer, at its choice either subsequently improve the services or provide them again. When using third party software which Workist has licensed for use by the Customer, the remedy of defects consists in the procurement and installation of generally available upgrades, updates or patches. The provision of instructions for use, with which the Customer can reasonably work around defects that have occurred in order to use the Platform in accordance with the Agreement, is also deemed to be subsequent improvement.
6.5 If the defect-free provision of the services fails for reasons for which Workist is responsible, even within a reasonable period set by the Customer in written form (e-mail is sufficient), the Customer can reduce the agreed remuneration by an appropriate amount. The right to reduce the price is limited to the amount of the monthly fixed price for the defective part of the service.
6.6 If the reduction according to clause 6.5 reaches the maximum amount specified in clause 6.5 in two consecutive months or in two months of a quarter year, the Customer can terminate the agreement without notice.
6.7 The Customer will notify Workist without undue delay in written form (e-mail is sufficient) of any defects that may occur. Furthermore, the Customer will support Workist free of charge and in a reasonable manner in the remedy of defects and will in particular provide Workist with all information and documents which Workist requires for the analysis and remedy of defects.
7. Damage & Liability
7.1 Workist is liable for cost free services according to the applicable statutory provisions.
7.2 In all other respects Workist is unrestrictedly liable for intent and gross negligence and for damages caused by injury to life, body or health.
7.3 In cases of simple negligence Workist is liable for the breach of a primary contractual obligation (Kardinalpflichten according to German law). A primary contractual obligation in the sense of this clause is an obligation whose performance enables the performance of the Agreement and on whose performance the Customer may therefore regularly rely.
7.4 In the case of clause 7.3Workist is not liable for lack of economic success, lost profits and indirect damages.
7.5 Liability pursuant to the above clause 7.3is limited to the typical, foreseeable damage at the time of conclusion of the Agreement.
7.6 In the case of 7.3liability for damages due to loss of data is limited to the amount of data recovery that would have been incurred even if the Customer had regularly backed up the data in accordance with the risk.
7.7 The limitations of liability apply accordingly in favor of employees, agents and assistants in performance of Workist.
7.8 Any liability of Workist for given guarantees (which must be explicitly designated as such) and for claims based on the German Product Liability Act remains unaffected.
7.9 Any further liability of Workist is excluded.
8. Confidentiality & Secrecy
8.1 The Customer undertakes to treat confidential information and documents (“Confidential Information“) of Workist, which are either obviously to be regarded as confidential or have been designated by Workist as confidential, as trade secrets and not to make them accessible to third parties. Third parties in the sense of this arrangement are also considered to be affiliated companies in which the Customer does not have a capital majority or a majority of votes. The Customer’s employees and other third parties (including subcontractors and freelancers) mandated by the Customer are to be obligated accordingly.
8.2 Confidential Information includes in particular the Platform as well as all of Workist’s technologies, information provided by Workist in the context of support requests or collaboration for the purpose of troubleshooting, as well as this agreement including its appendices. The licenses granted by Workist remain unaffected.
8.3 The Customer is entitled to disclose the confidential information made available to him to third parties if and to the extent that this is indispensable for the performance of this agreement or the exercise of contractual rights or if this is mandatory for legal or supervisory reasons. In the event of inquiries from third parties, judicial or administrative authorities concerning the disclosure of confidential information the Customer must inform Workist without undue delay in written or text form and support Workist in its efforts to prevent the disclosure of the confidential information.
8.4 The duty of secrecy does not apply if the Confidential Information was already known to the Customer before disclosure by Workist, is generally known or becomes known without fault of the Customer, was developed by the Customer himself without access to the Confidential Information by Workist or is brought to the attention of the third party by a bona fide third party who is entitled to do so. The mandatory legal obligations to provide information remain reserved. If the Customer invokes one or more of the aforementioned reasons, he must prove this by presenting suitable evidence.
8.5 The duty of secrecy begins with the knowledge of the Confidential Information and continues for the entire term of this Agreement and beyond that for five years from termination or the end of the Agreement term, unless legal regulations provide for a longer duty of secrecy. The Customer guarantees, within the scope of what is legally possible, that the duties of secrecy are also binding for his successors in title, assignees and affiliated companies.
8.6 During the period of validity of this duty of secrecy confidential information must be returned without undue delay, undamaged and complete at the first request of Workist. Workist can also order that certain confidential information be destroyed, deleted or placed in safekeeping and that the execution of this is confirmed in written form by the Customer. The above provisions in this clause apply only insofar as this does not significantly impair the use of the contractual service in accordance with the Agreement.
8.7 Notwithstanding the above provisions Workist is entitled to designate the Customer as a reference Customer by mentioning the full business name and using the logo of the business name in marketing materials (including websites).
8.8 With the exception of clause 8.7the above provisions do not establish any licenses under intellectual property law. All licenses granted under this Agreement remain unaffected by the above provisions.
9. Term & Termination
9.1 The agreement begins on the effective date specified in the Order Form.
9.2 Unless otherwise agreed in the order form, the Agreement term is one year from the commencement of the Agreement.
9.3 The Agreement is extended by the agreed term if the Agreement is not terminated in written form by one of the parties at the end of the respective term in accordance with the period applicable according to the service description in the Order Form.
9.4 Workist is also entitled to terminate the Agreement without notice if the Customer is more than six weeks in default of payment of the agreed fee and Workist has noticed the Customer of the prospect of a termination with a period of two weeks before the termination takes effect in text or written form.
9.5 Workist reserves the right to restrict or discontinue the functionality of the Platform for reasons other than those mentioned in clauses 2.6and 2.7under the conditions of clause 10If the Customer objects to the changes in accordance with clause 10Workist has the right of extraordinary notice of termination on the date on which the changes come into force.
9.6 Termination for good cause remains unaffected for both parties.
9.7 Upon termination of the agreement, for whatever reason, Workist will delete the Customer’s personal data in accordance with the arrangements in Appendix 2.Workist is entitled, but not obliged, to store data for security reasons for a period of four weeks after the termination of the contractual relationship to protect the Customer from accidental loss of data. Workist is also entitled to store data after the termination of the contractual relationship if Workist is legally or by order of an authority obliged to do so, in particular for reasons of commercial and tax law.
10. Changes of the Terms & Conditions
10.1 These terms and conditions can be changed between the Customer and Workist by arrangement as described below: Workist will send the changed terms and conditions in text form before the planned entry into force and will point out the new regulations and the date of the planned entry into force separately. At the same time Workist will give the Customer a reasonable period of at least two months to declare whether he accepts the changed terms and conditions for further use of the services. If no declaration is made within this period, which begins to run from receipt of the notification in text form, the changed terms and conditions are deemed to be agreed. Workist will inform the Customer separately of this remedies, i.e. the right to object, the objection period and the meaning of tacit admission, at the beginning of the period.
10.2 Changes relating to material contractual obligations are only permitted if these are necessary because the services provided by Workist without the change of the material contractual obligations are necessary for reasons of IT security or due to a changed legal situation.
11. Final Provisions
11.1 Changes and additional agreements to this Agreement must be made in written form. This also applies to this written form clause.
11.2 In case of contradictions between the Appendices and the Agreement, the provisions of the Appendices shall prevail.
11.3 The Customer can only offset against claims of Workist or assert a right to retain if the counterclaim is undisputed or has been legally recognized or is in a synallagmatic relationship with the respective claim concerned.
11.4 The language of the Agreement is German. Translations into other languages are for the sole purpose of comprehensibility and are not legally binding.
11.5 The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).
11.6 The exclusive place of jurisdiction over all disputes under or in connection with this Agreement is Berlin, provided that the parties of the Agreement are merchants, or the Customer has no general place of jurisdiction in Germany or in another EU member state or has moved his permanent domicile abroad after these terms and conditions have come into effect or his domicile or his habitual place of residence is unknown at the time of the commencement of legal proceedings.
(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
(c) These Clauses apply to the processing of personal data as specified in Annex II.
(d) Annexes I to IV are an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.
(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.
(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.
(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.
Processing by the processor shall only take place for the duration specified in Annex II.
(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
(a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least two weeks in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
(a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.
Controller:
Name: The customer specified in the main contract
Adress: In accordance with the customer's address specified in the main contract.
Name, position and contact details of the contact person: As specified in the main contract
Signature: By signing the main contract
Processor:
Name: Workist GmbH
Adress: Linienstraße 126
Name, position and contact details of the contact person: Dr. Fabian Brosig
Signature: By signing the main contract
Categories of data subjects whose personal data are processed
Categories of personal data processed
Type of processing
Self-operated web-based software solution ("Software-as-a-Service")
Purpose(s) for which personal data is processed on behalf of the controller
Duration of processing
The duration of processing corresponds to the term of the main contract.
This category covers measures to prevent unauthorized physical access to areas where sensitive data is stored or processed.
Technische Maßnahmen
Organisatorische Maßnahmen
This category involves measures that restrict unauthorized access to digital systems and data, ensuring that only authorized individuals can access sensitive information and resources.
Technical Measures
Organizational Measures
1.3. Authorization Control
This category focuses on ensuring that those authorized to use a data processing system can only access the data subject to their access authorization, with controls in place to manage and limit access rights, prevent unauthorized use and securely handle sensitive data.
Technical Measures
Organizational Measures
This category ensures that data and systems are kept isolated from one another where necessary, minimizing the risk of data leaks.
Technical Measures
Organizational Measures
This category involves the process of replacing identifiable information with pseudonyms, ensuring that personal data cannot be attributed to a specific individual without additional information. Pseudonymization enhances data privacy by reducing the risk of exposure while still allowing data to be processed and analyzed.
Technical Measures
Organizational Measures
This category focuses on ensuring the integrity and security of data during transmission. It includes measures that protect data from unauthorized access, modification, or loss while being transferred between systems or parties, ensuring that data remains unchanged throughout the process.
Technical Measures
Organizational Measures
This category ensures the accuracy and integrity of data during input, modification, and access. It includes measures to track and log all data entries and changes, secure the data from unauthorized modifications, and allow corrections when necessary. These measures are necessary to keep the data accurate and consistent throughout its lifecycle while providing transparency and accountability.
Technical Measures
Organizational Measures
This category focuses on ensuring that data and systems are consistently accessible and operational when needed, preventing downtime and protecting against data loss or system failures.
Technical Measures
Organizational Measures
This category ensures that data and systems can be quickly restored to full functionality after an incident.
Technical Measures
Organizational Measures
This category includes procedures and documentation necessary to ensure ongoing compliance with data protection regulations and allow data protection to remain integrated into the company’s operations, risk management, and decision-making processes.
Technical Measures
Organizational Measures
This category involves the ongoing evaluation and improvement of the processes and protocols in place to respond to data breaches and security incidents.
Technical Measures
Organizational Measures
This category ensures that data protection is integrated into the design and operation of systems and processes from the outset.
Technical Measures
Organizational Measures
This category covers the monitoring and management of external parties involved in data processing. It includes measures that ensure that outsourcing arrangements maintain the necessary levels of data protection and security.
Technical Measures
Organizational Measures
Subcontractor: Azure (Microsoft Deutschland GmbH)
Address: Walter-Gropius-Straße 5, 80807 München, Germany
Subject of Contract: Cloud Services
Data Transfer to Third Countries (Legal Basis): Microsoft is certified under the EU-US Data Privacy Framework (DPF), which enables data transfers to occur based on an adequacy decision of the EU Commission pursuant to Article 45 GDPR
Subcontractor: AWS (Amazon Web Services EMEA SARL)
Address: 38 avenue John F. Kennedy, L-1855 Luxemburg
Subject of Contract: Cloud Services
Data Transfer to Third Countries (Legal Basis): AWS is EU-US Data Privacy Framework certified, meaning that data transfers can be carried out in accordance with Art. 45 GDPR
Subcontractor: Sendgrid1 (Twilio Inc.)
Address: 101 Spear Street, Fifth Floor, San Francisco, CA 94105, United States
Subject of Contract: E-Mail Provider
Data Transfer to Third Countries (Legal Basis): Twilio Inc. is certified under the EU-US DPF. Data transfer can take place in accordance with Art. 45 GDPR
Subcontractor: Hubspot1 (Hubspot Inc.)
Address: 2 Canal Park, Cambridge, MA 02141, United States
Subject of Contract: Customer Service and Support Software
Data Transfer to Third Countries (Legal Basis): Hubspot, Inc. is certified under the EU-US Data Privacy Framework, thus allowing transfer in accordance with Art. 45 GDPR
Subcontractor: Syncwork2 (Syncwork AG)
Address: Franklinstr. 26a, 10587 Berlin, Germany
Subject of Contract: SAP Integration Partner
Data Transfer to Third Countries (Legal Basis): n/a
1 Planned
2 This service provider will only become part of the AVV if the corresponding service has been booked by the client.