Terms & Conditions
1. Terms of the Customer, Subject-Matter and Conclusion of the Agreement
1.1 Terms of the Customer, Subj1.1 The Agreement on the use of the platform can be concluded either by signing this Agreement in written form or by registering on the platform. The registration is carried out by an employee who is sufficiently authorized by the Customer.
1.2 The registration is carried out by filling in a form, in particular by filling in the Order Form according to Appendix 1, of various data. Upon completion of the registration process, the Customer receives the access data for the platform.
1.3 Workist reserves the right to ask for appropriate information and to demand proof that the Customer is not a consumer according to Sec. 13 BGB (German Civil Code).
1.4 By completing the registration process or sending the Agreement the Customer makes a legally binding request to Workist to conclude an Agreement. An Agreement between Workist and the Customer is only concluded when Workist has accepted the offer. As confirmation of this the Customer receives either an e-mail or access to the platform is activated for him.
1.5 A Customer is entitled to register several users in accordance with Appendix 1. Each user is assigned a separate account.
1.6 The Customer’s general terms and conditions only become part of the Agreement if this has been explicitly agreed in written form.
1.7 The services offered by Workist are intended exclusively for entrepreneurs within the meaning of Sec. 14 BGB.ect-Matter and Conclusion of the Agreement
2. Services of Workist
2.1 Workist provides the Customer access to the Platform via the internet for a limited period of time during the term of the Agreement. The exact scope of the services to be provided by Workist can be found in the description of services in Appendix 1. Beyond the agreed services the Customer has no claim to a specific arrangement or specific functionalities of the Platform.
2.2 Operation and maintenance of the Platform is the responsibility of Workist. The Customer is responsible for providing for internet access and any hardware (e.g. router, smart device) or software (e.g. browser, plug-ins, apps) that may be required for access to the Platform at the Customer’s premises. The Customer has no right to claim access to the source codes of the platform provided by Workist. The Customer is responsible for the use and configuration of the Platform.
2.3 The average availability of the Platform is 95% on an annual average. Excluded from this is necessary planned maintenance work as well as disturbances which are not within Workist’s sphere of influence, in particular force majeure. If possible, Workist will inform the Customer about planned maintenance work in reasonable time in advance in text form to the contact person named to Workist in the Order Form. However, Workist expressly reserves the right, if necessary, to carry out unannounced maintenance work, especially if this is necessary for data and operational security.
2.4 Workist performs daily backups of the platform and the data stored by the Customer, which are kept for three days. An individual check of the correctness and completeness of the data backups is not carried out and Workist has no such contractual obligation.
2.5 Workist provides the Customer with a documentation of the Platform as well as instructions for its use electronically in German and/or English language online. The Customer is not entitled to edit, publish, broadcast or make publicly available the documentation or instructions for use.
2.6 Workist is entitled to employ subcontractors to assist with its performance of services under this Agreement at its own discretion.
2.7 Workist is entitled but not obliged to extend and develop the functional scope of the Platform. Workist reserves the right to offer extensions and developments only for payment of an additional fee. If the Customer purchases an extension or development for an additional fee by concluding a corresponding supplementary arrangement, the provisions of this Agreement apply accordingly to this purchase. If Workist makes extended or additional functions available free of charge after conclusion of the Agreement, these functions provided are considered to be a voluntary service of Workist.
2.8 Workist can change the functional scope of the Platform at any time to an extent that is reasonable for the Customer. The change is particularly reasonable if it becomes necessary for good cause – for example due to disruptions in the provision of services by subcontractors or for safety reasons – and the performance characteristics defined in the service description are essentially retained as well as the main performance obligations of Workist. If the changes do not exclusively concern extensions of the function or not only insignificant components of the services to be provided by Workist, Workist will inform the Customer about the change at least four weeks before it comes into effect by e-mail.
2.9 Workist is entitled to block the Customer’s access to the Platform if
– there are indications that the Customer’s login data has been or will be misused or that the login data has been or will be given to an unauthorized third party or that login data is being used by more than one natural person;
– there are indications that third parties have otherwise gained access to the IT infrastructure provided to the Customer;
– the blocking is necessary for technical reasons;
– Workist is obliged to block the access due to applicable laws or by court or by official – authorities;
– the Customer is more than two weeks in delay of payment of the agreed fee within the meaning of clause 5of the agreement;
– the Customer has entered incorrect or invalid contact details and communication between Workist and the Customer is no longer possible;
– the Customer has deposited incorrect bank account details and a regular performance of the Customer’s performance obligations is not guaranteed.
Workist shall notify the Customer of the blocking at the latest one working day before the blocking takes effect in text or written form, provided that the notification is reasonable and compatible with the purpose of the blocking, balancing the interests of both parties.
3. Obligations of the Customer
3.1 The Customer must keep the login data to the platform in a safe place and may only make them available to authorized employees. The Customer undertakes to oblige his employees to handle the login data confidentially and to inform Workist without undue delay if there is any suspicion that the login data could have become known to unauthorized persons. Furthermore, the Customer undertakes to observe all security measures, functional and other restrictions of the Platform. In particular the Customer is not permitted to remove, overcome, deactivate or otherwise circumvent protection or authentication mechanisms or use the Platform for purposes other than those intended or expressly mentioned in Appendix 1; in particular, the Customer is not permitted to make the Platform available to third parties.
3.2 The Customer has to back up his data himself regularly and according to the risk, as far as this is technically possible for him. This applies both to data on the Customer’s local systems and to data that the Customer stores on the Platform provided by Workist.
3.3 In the section of the Order Form or the registration process the Customer designates to Workist a contact person in his company who is authorized to receive and provide legally binding declarations in connection with the Agreement with Workist.
3.4 The Customer grants to Workist a non-exclusive license without limitation in time or place to all content which he transfers to Workist’s servers in the context of the use of the Platform, to use the content to the extent necessary to perform the agreement with the Customer, in particular to copy the content and make it accessible to third parties according to the Customer’s settings. Workist is entitled to grant sub-licenses to its sub-contractors in performance to the extent necessary for the performance of the agreement. Furthermore, the license is not transferable. Workist is entitled to retain Customer content beyond the duration of the Agreement insofar as this is technically or legally necessary. In particular Workist is authorized to keep backup copies of the contents provided by the Customer and to store temporarily or permanently such information which is required for accounting, documentation and billing purposes.
3.5 The Customer guarantees that he will take note of all applicable legal regulations, in particular copyright and data protection law, when using the Platform. The Customer indemnifies Workist from all claims of third parties which these asserts against Workist because of the use of the platform by the Customer. Workist will inform the Customer without undue delay of any claims asserted by third parties and provide the information and documents necessary for defense on request. In addition, Workist will either let the Customer defend himself or will do so in consultation with the Customer. In particular Workist will neither acknowledge nor put claims asserted by third parties beyond dispute without consultation with the Customer. The provisions of this clause apply accordingly to contractual penalties as well as fines and administrative fines imposed by court or official authorities, insofar as the Customer is responsible for them.
3.6 The Customer should – within the limits of what is technically reasonable and possible – ensure that the normal business operations of the Customer continue to function properly, even if the Platform is not available, regardless of whether this is due to a fault of Workist or the Customer.
4.1 Upon the commencement of the Agreement Workist grants to the Customer the non-exclusive, worldwide, non-transferable and non-sub-licensable license, limited to the term of the agreement, to use the Platform in accordance with the Agreement.
4.2 Excluded from the granting of licenses are components of the platform that are subject to third-party rights and in particular open-source licenses that are recognizable to the Customer. In particular those components which are disclosed by Workist within the Platform or in text files supplied as third-party content are considered recognizable.
5.1 The Customer pays Workist the fee agreed in the Order Form for the use of the Platform.
5.2 Unless otherwise stated, the fees apply monthly and net plus applicable value added tax.
5.3 Invoices are issued as specified in the Order Form. The fees invoiced are due upon invoicing.
6.1 For cost free services Workist provides warranty according to the applicable statutory provisions.
6.2 Otherwise Workist provides warranty for defects in the provision of the Platform exclusively in accordance with the following provisions.
6.3 Defects are significant deviations from the contractually agreed functional scope of the Platform.
6.4 If the services to be provided by Workist under this Agreement are defective, Workist will, within a reasonable period and after receipt of a written (e-mail sufficient) notice of defect by the Customer, at its choice either subsequently improve the services or provide them again. When using third party software which Workist has licensed for use by the Customer, the remedy of defects consists in the procurement and installation of generally available upgrades, updates or patches. The provision of instructions for use, with which the Customer can reasonably work around defects that have occurred in order to use the Platform in accordance with the Agreement, is also deemed to be subsequent improvement.
6.5 If the defect-free provision of the services fails for reasons for which Workist is responsible, even within a reasonable period set by the Customer in written form (e-mail is sufficient), the Customer can reduce the agreed remuneration by an appropriate amount. The right to reduce the price is limited to the amount of the monthly fixed price for the defective part of the service.
6.6 If the reduction according to clause 6.5 reaches the maximum amount specified in clause 6.5 in two consecutive months or in two months of a quarter year, the Customer can terminate the agreement without notice.
6.7 The Customer will notify Workist without undue delay in written form (e-mail is sufficient) of any defects that may occur. Furthermore, the Customer will support Workist free of charge and in a reasonable manner in the remedy of defects and will in particular provide Workist with all information and documents which Workist requires for the analysis and remedy of defects.
7. Damage & Liability
7.1 Workist is liable for cost free services according to the applicable statutory provisions.
7.2 In all other respects Workist is unrestrictedly liable for intent and gross negligence and for damages caused by injury to life, body or health.
7.3 In cases of simple negligence Workist is liable for the breach of a primary contractual obligation (Kardinalpflichten according to German law). A primary contractual obligation in the sense of this clause is an obligation whose performance enables the performance of the Agreement and on whose performance the Customer may therefore regularly rely.
7.4 In the case of clause 7.3Workist is not liable for lack of economic success, lost profits and indirect damages.
7.5 Liability pursuant to the above clause 7.3is limited to the typical, foreseeable damage at the time of conclusion of the Agreement.
7.6 In the case of 7.3liability for damages due to loss of data is limited to the amount of data recovery that would have been incurred even if the Customer had regularly backed up the data in accordance with the risk.
7.7 The limitations of liability apply accordingly in favor of employees, agents and assistants in performance of Workist.
7.8 Any liability of Workist for given guarantees (which must be explicitly designated as such) and for claims based on the German Product Liability Act remains unaffected.
7.9 Any further liability of Workist is excluded.
8. Confidentiality & Secrecy
8.1 The Customer undertakes to treat confidential information and documents (“Confidential Information“) of Workist, which are either obviously to be regarded as confidential or have been designated by Workist as confidential, as trade secrets and not to make them accessible to third parties. Third parties in the sense of this arrangement are also considered to be affiliated companies in which the Customer does not have a capital majority or a majority of votes. The Customer’s employees and other third parties (including subcontractors and freelancers) mandated by the Customer are to be obligated accordingly.
8.2 Confidential Information includes in particular the Platform as well as all of Workist’s technologies, information provided by Workist in the context of support requests or collaboration for the purpose of troubleshooting, as well as this agreement including its appendices. The licenses granted by Workist remain unaffected.
8.3 The Customer is entitled to disclose the confidential information made available to him to third parties if and to the extent that this is indispensable for the performance of this agreement or the exercise of contractual rights or if this is mandatory for legal or supervisory reasons. In the event of inquiries from third parties, judicial or administrative authorities concerning the disclosure of confidential information the Customer must inform Workist without undue delay in written or text form and support Workist in its efforts to prevent the disclosure of the confidential information.
8.4 The duty of secrecy does not apply if the Confidential Information was already known to the Customer before disclosure by Workist, is generally known or becomes known without fault of the Customer, was developed by the Customer himself without access to the Confidential Information by Workist or is brought to the attention of the third party by a bona fide third party who is entitled to do so. The mandatory legal obligations to provide information remain reserved. If the Customer invokes one or more of the aforementioned reasons, he must prove this by presenting suitable evidence.
8.5 The duty of secrecy begins with the knowledge of the Confidential Information and continues for the entire term of this Agreement and beyond that for five years from termination or the end of the Agreement term, unless legal regulations provide for a longer duty of secrecy. The Customer guarantees, within the scope of what is legally possible, that the duties of secrecy are also binding for his successors in title, assignees and affiliated companies.
8.6 During the period of validity of this duty of secrecy confidential information must be returned without undue delay, undamaged and complete at the first request of Workist. Workist can also order that certain confidential information be destroyed, deleted or placed in safekeeping and that the execution of this is confirmed in written form by the Customer. The above provisions in this clause apply only insofar as this does not significantly impair the use of the contractual service in accordance with the Agreement.
8.7 Notwithstanding the above provisions Workist is entitled to designate the Customer as a reference Customer by mentioning the full business name and using the logo of the business name in marketing materials (including websites).
8.8 With the exception of clause 8.7the above provisions do not establish any licenses under intellectual property law. All licenses granted under this Agreement remain unaffected by the above provisions.
9. Term & Termination
9.1 The agreement begins on the effective date specified in the Order Form.
9.2 Unless otherwise agreed in the order form, the Agreement term is one year from the commencement of the Agreement.
9.3 The Agreement is extended by the agreed term if the Agreement is not terminated in written form by one of the parties at the end of the respective term in accordance with the period applicable according to the service description in the Order Form.
9.4 Workist is also entitled to terminate the Agreement without notice if the Customer is more than six weeks in default of payment of the agreed fee and Workist has noticed the Customer of the prospect of a termination with a period of two weeks before the termination takes effect in text or written form.
9.5 Workist reserves the right to restrict or discontinue the functionality of the Platform for reasons other than those mentioned in clauses 2.6and 2.7under the conditions of clause 10If the Customer objects to the changes in accordance with clause 10Workist has the right of extraordinary notice of termination on the date on which the changes come into force.
9.6 Termination for good cause remains unaffected for both parties.
9.7 Upon termination of the agreement, for whatever reason, Workist will delete the Customer’s personal data in accordance with the arrangements in Appendix 2.Workist is entitled, but not obliged, to store data for security reasons for a period of four weeks after the termination of the contractual relationship to protect the Customer from accidental loss of data. Workist is also entitled to store data after the termination of the contractual relationship if Workist is legally or by order of an authority obliged to do so, in particular for reasons of commercial and tax law.
10. Changes of the Terms & Conditions
10.1 These terms and conditions can be changed between the Customer and Workist by arrangement as described below: Workist will send the changed terms and conditions in text form before the planned entry into force and will point out the new regulations and the date of the planned entry into force separately. At the same time Workist will give the Customer a reasonable period of at least two months to declare whether he accepts the changed terms and conditions for further use of the services. If no declaration is made within this period, which begins to run from receipt of the notification in text form, the changed terms and conditions are deemed to be agreed. Workist will inform the Customer separately of this remedies, i.e. the right to object, the objection period and the meaning of tacit admission, at the beginning of the period.
10.2 Changes relating to material contractual obligations are only permitted if these are necessary because the services provided by Workist without the change of the material contractual obligations are necessary for reasons of IT security or due to a changed legal situation.
11. Final Provisions
11.1 Changes and additional agreements to this Agreement must be made in written form. This also applies to this written form clause.
11.2 In case of contradictions between the Appendices and the Agreement, the provisions of the Appendices shall prevail.
11.3 The Customer can only offset against claims of Workist or assert a right to retain if the counterclaim is undisputed or has been legally recognized or is in a synallagmatic relationship with the respective claim concerned.
11.4 The language of the Agreement is German. Translations into other languages are for the sole purpose of comprehensibility and are not legally binding.
11.5 The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).
11.6 The exclusive place of jurisdiction over all disputes under or in connection with this Agreement is Berlin, provided that the parties of the Agreement are merchants, or the Customer has no general place of jurisdiction in Germany or in another EU member state or has moved his permanent domicile abroad after these terms and conditions have come into effect or his domicile or his habitual place of residence is unknown at the time of the commencement of legal proceedings.
1. Personal Responsible and Contact
c/o DB mindbox
Represented by the managing directors Alexander Müller and Tim Wegner
(hereinafter referred to as “Workist” or “we“)
If you have any questions or suggestions on the subject of data protection, you are welcome to contact us by e-mail via the following address: email@example.com.
You can contact our data protection officer at the following e-mail address: firstname.lastname@example.org.
2. Subject of Data Protection
The subject of data protection is personal data. According to Art. 4 No. 1 GDPR (General Data Protection Regulation), personal data is all information relating to an identified or identifiable natural person; this includes, for example, the name or identification numbers.
3. Automated Data Acquisition
When accessing our platform, your end-device automatically transfers data for technical reasons. The following data is stored separately from other data that you may transmit to us:
– IP address
– URL of the requested page
– Date and time
We store this data for the following purposes:Load balancing, i.e. to distribute the access to
our platform to several devices and to be able to offer you the fastest possible loading times;
Ensuring the security of our IT systems, e.g. to defend against concrete attacks on our systems and to recognize attack patterns;
Ensuring the proper operation of our IT systems, e.g. if errors occur which we can only correct by storing the IP address;
– in order to enable criminal prosecution, averting of danger or legal prosecution in the case of concrete indications of criminal offenses.
– Your IP address will only be saved for a period of 90 days.
In this case, the processing is carried out on the basis of our predominant above-mentioned legitimate interests (Art. 6 (1) (f) GDPR).
4. Registration & Conclusion of the Agreement
The agreement for the use of the platform can be concluded either in written form or within the scope of registration on the platform. In both cases you will then receive the login data for the platform.
In order to be able to use all functions of our platform, you must register, regardless of the form of contract conclusion. To do so, you must provide the following mandatory information:
– first name and surname
– e-mail address
Your registration data is required to set up and manage an account for you and to enable you to use our platform, Art. 6 (1) (b) GDPR. In order to set up this account, you must provide us with this data. However, you are neither contractually nor legally obliged to conclude the agreement and thus to provide the data.
If a customer of Workist (“Customer“) creates a user account for further persons, e.g. employees, or enables them to register, their registration is carried out according to the procedures described above. In this case, however, Workist processes the registration data on behalf of the Customer, i.e. not as an independently responsible person, but as a processor on the basis of the contract processing agreement concluded with the Customer. In this case the legal basis for the processing of registration data by Workist is Art. 28 (1) GDPR. In this case the Customer is responsible for data protection.
5. Data Processing within the Scope of the Platform
The processing of personal data that may be contained in the content that the Customer or its users bring into the platform or for which they use the platform (“Customer Content”) is carried out exclusively on behalf of the Customer. Consequently, Workist does not act here as an independent responsible party, but as a processor on the basis of the Data Processing Agreement concluded with the Customer. In this case the legal basis for the processing of personal data contained in Customer Content by Workist is Art. 28 Para. 1 GDPR. In this case the Customer is responsible for data protection.
6. Passing on of Data
In principle, your personal data will only be passed on without your express prior consent in the following cases:
The disclosure of this data is based on our legitimate interest in combating abuse, prosecuting criminal offenses and securing, asserting and enforcing claims and that your rights and interests in the protection of your personal data do not outweigh, Art. 6 (1) (f) GDPR or due to a legal obligation under Art. 6 (1) (c) GDPR.
We rely on contractually affiliated third-party companies and external service providers (“Contractors”) to provide our services. In such cases, personal data will be passed on to these processors in order to enable them to further process the data. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors may use the data exclusively for the purposes specified by us and are furthermore contractually obliged by us to treat your data exclusively in accordance with this data protection declaration and the German data protection laws.
In detail we use the following contract processors:
– Amazon Web Services (AWS) – Hosting
– Microsoft Azure – Hosting
– ABBYY Europe GmbH – Cloud Services
– Telekom Deutschland – Cloud Services
We provide data to processors on the basis of Art. 28 (1) GDPR. In the event that personal data is transferred to a data processor outside the EU and no adequacy finding is made, we ensure the proper processing of the data by taking measures as described in Art. 46 et seq. GDPR described. For further information, please contact us via the e-mail address given above.
The disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances and that your rights and interests in the protection of your personal data do not outweigh the protection of your privacy, Art. 6 (1) (f)) GDPR.
7. Automated Individual Decisions or Measures for Profiling
We do not use any automated processing to make a decision affecting you or for profiling purposes.
8. Deletion of Data
Unless otherwise stated, we will delete or anonymize your personal data as soon as it is no longer required for the purposes for which we collected or used it in accordance with the above paragraphs. As a rule, we store your personal data for the duration of the usage or contractual relationship via the platform, as well as for a period of four weeks during which we store backup copies after the end of the agreement. We will also continue to store your data if we are obliged to do so for legal reasons or if the data is required for longer for criminal prosecution or to secure, assert or enforce legal claims.
Insofar as data must be stored for legal reasons, the processing will be restricted. The data is then no longer available for further use. Storage beyond the scope of the contractual relationship is based on our aforementioned legitimate interests in accordance with Art. 6 (1) (f) GDPR.
9. Your Rights as a Data Subject
As a person affected by the processing of personal data, you have the right to be informed about the data processed, a right to correct your personal data, a right to have your personal data deleted, a right to limit the processing of your personal data and a right to have your personal data communicated to us.
In addition, you have the right to object at any time, for reasons relating to your specific situation, to the processing of your personal data, if the processing is based on Art. 6 (1) (e) or (f) DPA (including profiling) or if data are processed for direct marketing purposes.
In case of consent, you have the right to revoke your consent at any time, Art. 7 (3) Cl. 1 GDPR. You can do this by sending a message to email@example.com.
You also have the right to submit complaints to a regulatory body.
Finally, we would like to point out that we process the personal data provided by you when exercising your rights according to Art. 15 to 22 GDPR for the purpose of implementing these rights and to be able to provide proof of this. This processing is based on the legal basis of Art. 6 (1) (c) GDPR.
Status: Jan 8, 2021
Data Processing Agreement
This Data Processing Agreement (“DPA“) specifies the data protection obligations and rights of the parties in connection with the processing of personal data processed by Workist GmbH, c/o DB mindbox, Holzmarktstraße 6-9, 10179 Berlin (hereinafter “Contractor“) on behalf of Workist (hereinafter “Customer“) under the agreement concluded between the parties on the use of the Workist platform (hereinafter “Main Agreement“).
1. Scope of Application
When providing the services in accordance with the Main Agreement, the Contractor shall process personal data which the Customer has provided for the purpose of providing the services and in respect of which the Customer acts as the responsible party in the sense of data protection law (“Customer Data”). In the event of contradictions between this DPA and provisions of other agreements, in particular of the Main Agreement, the regulations of this DPA shall take precedence.
2. Customer Data
2.1. The Contractor will process the Customer Data exclusively on behalf of the Customer and in accordance with the Customer’s instructions, unless the Contractor is legally required to do otherwise under the law of the European Union or a member state. In such a case, the Contractor shall notify Customer of these legal requirements prior to processing, unless the law in question prohibits such information for an important public interest.
2.2. Unless otherwise agreed in the Main Agreement, the processing of Customer Data by the Contractor shall be carried out exclusively in the nature, to the extent and for the purpose specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.
2.3. The duration of the processing corresponds to the duration of the Main Agreement.
2.4. Personal data is generally processed in member states of the European Union or in another state that is a party to the Agreement on the European Economic Area (“EEA“). Subject to compliance with the provisions of this DPA, the Contractor is also permitted to process Customer Data outside the EEA or to have it processed by other contractors in accordance with Clause 5 of this DPA, if the conditions of Articles 44 to 48 GDPR (General Data Protection Regulation) are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of standard contractual clauses is required for this purpose, the Customer hereby authorises the Contractor to conclude these clauses on his behalf with any further processor. If this is not possible, the Contractor shall, on the instructions of the Customer, immediately enforce against the further processors all instructions and rights to which the data exporter is entitled under the EU standard contractual clauses and assign them to Customer upon request.
2.5. The instructions are set out in the Main Agreement. In addition, the Customer is entitled to issue instructions on the nature, scope, purposes and means of processing Customer Data. These instructions must be in written form or text form. Oral instructions will be confirmed by the Customer in written form or by e-mail. All instructions shall be documented by the parties. The persons authorised to give instructions and the recipients of instructions are listed in Annex 1. In the event of a change or a long-term inability of the persons named to carry out the instructions, the successor or representative must be named to the contractual partner in text form without delay-
2.6. If the Contractor is of the opinion that an instruction of the Customer violates this DPA, the GDPR or other data protection regulations of the European Union or the member states, the Contractor shall inform the Customer of this immediately in written form or text form. The Contractor is entitled to suspend the execution of such an instruction until the Customer confirms it in written form or text form. If the Customer insists on the execution of an instruction in spite of the reservations expressed by the Contractor, the Customer shall indemnify the Contractor against all damages and costs incurred by the contractor in executing the Customer’s instruction. The Contractor will inform the Customer about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of the Customer and will conduct the defence at the discretion of the Contractor in coordination with the Customer or leave it to the Customer.
3. Requirement for Personnel
3.1. The Contractor shall obligate all personnel under his authority who have access to Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations.
3.2. The Contractor shall ensure that personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and the Customer’s instructions, unless they are required to do so under the laws of the European Union or the member states.
4. Security of Processing
4.1. Taking into account the state of the art, the costs of implementation and – as far as known to the Contractor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the Contractor shall implement appropriate technical and organisational measures to ensure a level of security for the Customer Data appropriate to the risk.
4.2. Prior to the beginning of the processing of the Customer Data, the Contractor shall in particular implement the technical and organisational measures specified in Annex 3 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
4.3. Since the technical and organisational measures are subject to technical progress, Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 3. If the Contractor makes significant changes to the measures specified in Annex 3, he will inform the Customer of such changes in advance.
4.4. It is incumbent on the Customer to check the technical and organisational measures taken by the Contractor, in particular whether these are also sufficient with regard to circumstances of data processing of which the Contractor is not aware.
5. Use of Sub-Processors
5.1. The Contractor uses the sub-processors listed in Annex 2 for the processing of Customer Data. These are deemed to be approved upon conclusion of this DPA.
5.2. The Contractor may use further sub-processors to process Customer Data subject to the following conditions: The Contractor shall inform the Customer at least 15 working days before making use of the further sub-processor in text form or written form. Unless the Customer raises an objection within 5 working days, the commissioning is deemed approved.
5.3. If the Customer objects to the use of a further sub-processor, the Contractor shall be entitled, at its option, to continue to provide the services without the corresponding processor or to terminate the Main Agreement and this DPA at the time of the planned use of the processor.
5.4. The Contractor must obligate each further processor by means of a written agreement in the same way as the Contractor is obligated to the Customer under this agreement.
5.5. The Contractor shall be obliged to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of the Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
6. Rights of the Data Subjects
6.1. The Contractor shall take all reasonable technical and organisational measures to assist the Customer in fulfilling its obligation to respond to requests from affected persons to exercise their rights.
6.2. The Contractor will in particular:
– immediately inform the Customer if a data subject should contact Contractor directly with a request to exercise his rights in relation to Customer Data;
– immediately provide the Customer with all information in his possession concerning the processing of Customer Data which the Customer requires to answer the request of a data subject and which the Customer does not have at his disposal;
– Customer Data can be corrected, deleted or limited in processing immediately upon instruction of the Customer;
– ensure that the Customer can and does receive the Customer Data processed in the area of responsibility of the Contractor in a structured, common and machine-readable format, provided that the data subject has a right of data transferability with respect to the Customer with regard to the Customer Data.
7. Other Obligations of the Contractor to assist the Customer
7.1. The Contractor shall notify the Customer immediately after becoming aware of any Customer Data breach, in particular incidents that lead to the destruction, loss, alteration or unauthorised disclosure of or access to Customer Data.
7.2. In the event of any violation of the protection of Customer Data, Contractor shall, without delay, take all necessary and reasonable measures to remedy the violation of the protection of Customer Data and, if necessary, to mitigate its possible adverse effects.
7.3. If the Customer is obliged to provide information to a government authority or a third-party regarding the processing of Customer Data or to cooperate with such entities in any other way, the Contractor is obliged to assist the Customer in providing such information or in fulfilling other obligations to cooperate.
7.4. Taking into account the information available to him, the Contractor will assist the Customer in complying with the obligations set out in Art. 32 GDPR.
7.5. In the event that the Customer is obliged to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, the Contractor shall, at the request of the Customer, assist the Customer in complying with these obligations. In particular, the Contractor is obliged to document all potential violations of Customer Data breaches, including all related facts, in a manner that enables the Customer to prove compliance with any relevant statutory reporting obligations.
7.6. The Contractor shall support the Customer within the scope of what is reasonable in any data protection impact assessments to be carried out by him and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
8. Detection and Return of Customer Data
8.1. Upon the instruction of the Customer, the Contractor shall, upon termination of the Main Agreement, either delete all Customer Data completely or return it to the Customer and delete any existing copies, unless the law of the European Union or a member state requires the Contractor to continue storing Customer Data.
8.2. However, the Contractor shall be entitled to keep backup copies of the Customer Data for a period of 30 days, provided that deletion of the Customer’s data from these backup copies is technically impossible or impossible with regard to Art. 32 GDPR. For this period the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Clause 2.3.
8.3. Documentation which serves as proof of the orderly and proper processing of the Customer Data must be kept by the Contractor in accordance with the statutory retention periods beyond the end of the agreement.
9. Evidence & Checks
9.1. The Contractor shall ensure and regularly check that the processing of Customer Data is carried out in accordance with this DPA, including the scope of processing of Customer Data as set out in Annex 1 and the Customer’s instructions.
9.2. The Contractor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide the Customer with all necessary evidence of the Contractor’s compliance with the obligations under the GDPR and this DPA at the Customer’s request.
9.3. The Customer shall be entitled to audit the Contractor prior to the start of the processing of Customer Data and regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 3, either himself or through a qualified and auditor who is obliged to maintain secrecy; this shall include inspections. Contractor shall allow such inspections and shall contribute to such inspections by taking all reasonable and appropriate measures; inter alia by granting the necessary access and access rights and by providing all necessary information.
9.4. As far as possible, the checks and inspections should not hinder the Contractor in his normal business operations and should not place an excessive burden on him. In particular, inspections on the Contractor’s premises should not take place more than once per calendar year and only during the Contractor’s normal business hours without any specific reason. The Customer must notify the Contractor of inspections in good time in writing or text form.
9.5. In accordance with the provisions of the GDPR, the Customer and the Contractor are subject to public controls by the competent supervisory authority. At the request of the Customer, the Contractor shall provide the supervisory authority with the desired information and give it the opportunity for verification; this includes inspections at the contractor’s premises by the supervisory authority or by persons appointed by it. In this context, the Contractor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
The parties shall be liable within the scope of this DPA in accordance with the statutory provisions.
Purpose, nature and extent of data processing, type of data and categories of data subjects
Purpose of data processing
Operation of AI process automation software with the aim of automatically capturing data fields from documents, extracting them and forwarding them to a target system defined by the Customer (e.g. an ERP system)
Customized training of the AI Worker algorithm
Type and scope
of data processing
– Linking, organization and ordering
– Readout and adjustment
Type of applications operated: Self-operated web-based software solution (“Software-as-a-Service”) and applications of contract processors as defined in Annex 2. Place of data processing: Germany or EEA (according to Annex 2)
Type of Data
– Surnames and first names
– Company affiliation
– Contact information (address, phone number, e-mail)
– Customer and order numbers
– Payment information (e.g. bank account details)
– Contents of orders or other messages
– Delivery and shipping information
Categories of Data Subjects
– End Customers and other contacts (e.g. interested parties) of the Customer
– employees of end customers and other contacts of the Customer
– Employees of the Customer
of the contractor
Companies & Headquarters
Seattle, WA 98108-
United States of
Provision and technical maintenance of AWS services for the operation
of the Workist AI Workbench. The following DPA has been agreed as
part of the Service Agreement with AWS Inc.:
The following services (applications) are used by the subcontracted data
processor Amazon Web Services (AWS): AWS Elasticsearch, AWS
Textract, AWS Workmail.
The services run on server locations in
One Microsoft Place
Dublin 18, D18
Provision and technical maintenance of the Azure Services for the
operation of the Workist AI Workbench. The following DPA (as of
January 2020) has been agreed as part of the Service Agreement (as of
April 2020) with Microsoft Ireland Operations, Ltd.:
The subcontracted data processor Microsoft Ireland Operator Ltd. uses
the following Azure Services (applications): Azure Database for
PostgreSQL, Container Registry, Azure Virtual Computers, Azure
Kubernet Service, Azure Blob Storage, Azure Cache for Redis, Azure
Cognitive Services, Azure Key Vault. The services are executed on
server locations in Germany (Frankfurt) Region Germany Europe West
Center (all services) or in the Netherlands Region Europe West (Azure
Cognitive Services, Azure Virtual Computers with GPU cores).
Provision and technical maintenance of ABBYY Cloud OCR Services.
The following DPA (as of April 1, 2019) has been agreed as part of the
Service Agreement with ABBYY Europe GmbH:
Subcontracted data processor ABBYY Europe GmbH uses the ABBYY
Cloud OCR SDK product.
Provision and technical maintenance of the Open Telekom Cloud
service. A DPA was concluded, which will be passed on upon request.
The product Elastic Cloud Server GPU accelerated will be purchased
from the subcontracted data processor Deutsche Telekom GmbH.
Technical and organizational measure
AWS Inc. fulfills the following certifications (SOC1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC2, SOC3, FISMA, DoD SRG, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MCTS Tier3) and implements AWS Inc. the requirements catalog Cloud Computing (C5) of the Federal Office for Information Security. Microsoft Ireland Operations, Ltd. meets the following certifications: SOC 1/2/3, ISO 27001,
ISO 27002 and ISO 27018, as well as the requirements of the EU-US Privacy Shield and the standard contractual clauses of the European Union Article 29 GDPR. Compliance with the certification standards is verified by means of regular audits carried out by independent third parties. ABBYY Cloud OCR SDK is SOC 2 Type II certified.
Unauthorized persons must be denied access to data processing systems.
– Alarm system
– Chip card/transponder locking system
– Security locks
– Key regulation
Application Level (AWS)
– Video surveillance of the buildings
– Electronic Intrusion Detection System
– Chip card/transponder locking system
– Employee and visitor badges
– Wearing of badges in the data center
– Reception with logging of visitors
– Permanent accompaniment of the visitors by employees
Application Level (Azure)
– Microsoft limits access to facilities where Customer Data processing information systems are located to identified, authorized individuals.
– For more information see Appendix A DPA Microsoft Online Services
It must be prevented that data processing systems can be used by unauthorized persons.
– Password rules
– Key regulation
– Encryption of data media
– Authentication with user + password
Application Level (AWS & Azure)
– AWS Network: Firewalls
– Azure Network: Firewalls
– AWS Network: Authentication
– Azure Network: Firewalls
– Azure Virtual Private Network
– Password rules
– Authentication with user + password
It must be ensured that systemic data access options exist only to the extent of authority and requirements, e.g. through encryption.
– Encryption of data media
– Authorization concept
– Password rules
– Reduce the number of administrators to the “most necessary” (currently 1)
– Administration of user rights only by system administrator rights
– Data transmission is exclusively via HTTPS
It must be ensured that personal data are not accessed by unauthorized persons during transmission, transport or on data carriers and that it is possible to determine to which bodies the data have been disclosed, e.g. by encryption.
– Data transmission is exclusively via HTTPS
Our system is designed to log when which user has added, deleted or changed which data. In addition, data that is no longer required is deleted.
It must be ensured that it can be determined whether personal data has been processed and by whom.
– Logging of data entry, modification and deletion
– Traceability of input, modification and deletion of data through individual user names (not user groups)
– Assignment of rights to enter, change and delete data based on an authorization concept
It must be ensured that data collected for different purposes – can be processed separately
– Storage of data from different systems on data carriers separated by virtualization
– Separation of production and test system
– Determination of database rights
– Logical Customer separation (on the software side)
– Creation of an authorization concept
It must be ensured that personal data is protected against loss.
– Replication of the data management in Azure
– Daily creation of encrypted back-ups of the data stored in the Azure Database for PostgreSQL service