A signed version of the following data processing agreement may be requested via compliance@kuno.io.
Data Processing Agreement
in accordance with art. 28 General Data Protection Regulation
(GDPR)
KUNO GmbH
Geschäftsführung: Katharina Jung, Erica Ancobia
Cuvrystraße 53
10997 Berlin
-hereinafter referred to as the Processor -
1. Scopeand duration
(1) Subject
The subject matter of the order results from the KUNO Service Agreement to which reference is made here (hereinafter referred to as Framework Agreement).
(2) Duration
The orderis limited for the period of the Framework Agreement and may be terminated by either party according to the applicable Terms and Conditions (in their current form available on www.kuno.io). The possibility of termination without notice remains unaffected. In any case, the order ends with effective termination of the Framework Agreement.
2. Specificationof the data processing agreement
(1) Nature and purpose of the intended processing of data
- The nature and purpose of the processing of personal data by the Processor for the Controller are specifically described in the Framework Agreement.
- The Processor is entitled to use the Controller's data for statistical purposes in anonymized, non-recoverable form, thus without the possibility of personal reference, as well as without the possibility of reference to the Controller.
- The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Controller and may only take place if the special requirements of Artt. 44 et seq. DS-GVO are fulfilled. The appropriate level of protection for sub-processors in the United States of America is established by standard data protection clauses (Art. 46 para. 2 lit. c and d DS-GVO) and other measures (use of data servers in the European Union).
(2) Type of data
The subject of the processing of personal data are the types/categories of data listed as follows.
a) The subject of the processing of personal data in the area of Human Resources Administration and Payroll Accounting:
- Contact details (e.g. first and last name, address, e-mail address, telephone number)
- Correspondences
- Identification numbers (e.g. social security number, tax number, tax ID, passport or ID card number, insurance number)
- Payment data (e.g. example account number, credit card number, financial institution)
- Physical characteristics (e.g. application photos)
- Awards (e.g. testimonials and certificates)
- Information about ethnic and cultural origin
- Information on political, religious, and philosophical worldview (e.g., church tax record)
- Health data (e.g. medical diagnoses, certificates of incapacity for work)
- Information on trade union affiliations
- Genetic and biometric data (e.g. gender, geometry of the face)
b) The following data types/categories are the subject of the processing of personal data in Finance Operations:
- Contact details (e.g. first and last name, address, e-mail address, telephone number)
- Correspondences
- Payment data (e.g. example account number, credit card number, financial institution)
- Customer data (e.g. billing data, user profiles, address, order history, payment data, CRM data)
(3) Categories of affected persons
The categories of data subjects affected by the processing include:
- Clients
- Interested parties
- Employees
- Suppliers
- Sales representatives
- Contact
- Applicants
- Business partners
- Investors
3. Technical-organizational measures
(1) The Processor shall document the implementation of the technical and organizational measures set out and required in the run-up to the award of the contract before the start of the processing, in particular with regard to the specific execution of the contract and shall hand them over to the Controller for inspection. If accepted by the Controller, the documented measures shall become the basis of the order. Insofar as the examination/audit of the Controller reveals a need for adaptation, this shall be implemented by mutual agreement.
(2) The Processor shall establish security pursuant to Art. 28 Para. 3 lit. c, 32 DS-GVO, in particular in connection with Art. 5 Para. 1, Para. 2 DS-GVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR must be taken into account (details in Exhibit 1).
(3) The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes shall be documented.
4. Correction, restriction and erasure of personal data
(1) Insofar as a data subject asserts its data subject rights directly against the Processor, the Processor shall immediately forward this request to the Controller. The Processor may not correct, delete, restrict the processing of or provide information about the data processed on behalf of the Controller on its own authority, but only in accordance with the Controller's documented instructions.
(2) Upon the documented instruction of the Controller, the Processor shall immediately carry out the requested deletion, correction, restriction, data transfer or information and shall provide the Controller with written evidence thereof.
5. Quality assurance and other obligations of the Processor
In addition to compliance with the provisions of this Order, the Processor shall have statutory obligations pursuant to Art. 28 to 33 of the GDPR; in this respect, the Processor shall in particular ensure compliance with the following requirements:
- Written appointment of a data protection officer who performs his activities in accordance with Artt. 38 and 39 DS-GVO. The Processor's data protection officer is currently: Intelliant GmbH, represented by Philipp Dannenberg, Immanuelkirchstraße 3-4, 10405Berlin, dpo@intelliant.de
- Maintaining confidentiality in accordance with Art. 28 (3) p. 2 lit. b, 29, 32 (4) DS-GVO. When performing the work, the Processor shall only use employees who have been obligated to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data may process this data exclusively in accordance with the Controller's instructions, including the powers granted in this contract, unless they are legally obliged to process it.
- The implementation of and compliance with all technical and organizational measures required for this order in accordance with Artt. 28 (3) p. 2 lit. c, 32 DS-GVO (details in Exhibit 1).
- The Controller and the Processor shall, upon request, cooperate with the Supervisory Authority in the performance of its duties.
- The immediate information of the Controller about control actions and measures of the supervisory authority, insofar as they relate to this order. This shall also apply insofar as a competent authority investigates in the context of administrative offense or criminal proceedings with regard to the processing of personal data during the commissioned processing at the Processor.
- Insofar as the Controller is exposed to an inspection by the supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Processor, the Processor shall support the Controller to the best of its ability.
- The Processor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
- Verifiability of the technical and organizational measures taken vis-à-vis the Controller within the scope of its control powers pursuant to Section 7 of this Agreement.
6. Subcontracting
(1) Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Processor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor shall be obligated to implement appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Controller's data even in the case of outsourced ancillary services.
(2) The Processor may engage sub-processors (further processors) only with the prior express written or documented consent of the Controller.
- The Controller consents to the commissioning of the sub-processors listed in Exhibit 2 subject to the condition of a contractual agreement in accordance with Article 28 (2-4) of the GDPR;
- Outsourcing to sub-processors or changing the existing sub-processor is permitted to the extent:
- the Processor notifies the Controller of such outsourcing to sub-processors a reasonable time in advance in writing or text form, and
- the Controller does not object to the planned outsourcing in writing or in text form to the Processor until one calendar week before the date of the transfer of the data and
- a contractual agreement in accordance with Article 28 (2-4) of the GDPR is used as a basis.
(3) The transfer of personal data of the Controller to the sub-processor and its first activity shall be permitted only after all requirements for subcontracting have been met.
(4) If the sub-processor provides the agreed service outside the EU/EEA, the Processor shall ensure that it is permissible under data protection law by taking appropriate measures. The same shall apply if service providers within the meaning of Paragraph 1 Sentence 2 are to be used.
(5) Further outsourcing by the sub-processor requires the express consent of the main Processor (at least in text form). All contractual regulations in the contractual chain must also be imposed on the further sub-processor.
7. Supervisory powers of the Controller
(1) The Controller shall have the right, in consultation with the Processor, to carry out inspections of the Processor's technical and organizational measures or to have such inspections carried out by inspectors to be named in individual cases, provided that such inspectors are not in a competitive relationship with the Processor. It shall have the right to satisfy itself of the Processor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.
(2) The Processor shall ensure that the Controller can satisfy itself of the Processor's compliance with its obligations pursuant to Art. 28 of the GDPR. The Processor undertakes to provide the Controller with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
(3) Evidence of such measures, which do not only concern the specific order, can be provided by
- Compliance with approved rules of conduct pursuant to Art. 40 DS-GVO confirmed by an independent body (e.g. data protection officer, IT security department, data protection auditors, quality auditors) or
- current attestations, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors).
(4) The Processor may claim remuneration for enabling inspections by the Controller.
8. Communication in the case of infringements by the Processor
(1) The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things
- ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing, as well as the predicted likelihood and severity of a potential security breach, and allow for the immediate detection of relevant breach events,
- the obligation to report personal data breaches to the Controller without delay,
- the obligation to support the Controller within the scope of its duty to inform the data subject and to provide it with all relevant information in this context without delay, the support of the Controller for its data protection impact assessment,
- support of the Controller within the framework of prior consultations with the supervisory authority.
- Outsourcing to sub-processors or changing the existing sub-processor is permitted to the extent:
(2) The Processor may claim compensation for support services that are not included in the Statement of Work or are not due to the Processor's misconduct.
9. Authority of the Controller to issue instructions
(1) The Controller shall confirm verbal instructions without delay (at least in text form).
(2) The Processor shall inform the Controller without delay if it is of the opinion that an instruction violates data protection regulations. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller at least in text form.
10. Deletion and return of personal data
(1) Copies or duplicates of the data will not be made without the knowledge of the Controller. Excluded from this are security copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory retention obligations.
(2) After completion of the contractually agreed work or earlier upon request by the Controller - at the latest upon termination of the consulting agreement - the Processor shall hand over to the Controller all documents, processing and utilization results created and data files related to the contractual relationship that have come into its possession or, after prior consent, destroy them in accordance with data protection requirements. The same shall apply to test and reject material. The protocol of the deletion shall be submitted upon request.
(3) Documentation that serves as proof of orderly and proper data processing shall be retained by the Processor beyond the end of the contract in accordance with the respective retention periods. The Processor may hand them over to the Controller at the end of the contract to relieve the Processor.
Exhibit 1 –
DataProcessing Agreement
in accordance with art. 28 General Data Protection Regulation (GDPR)
Technical-organizational measures
1. Confidentiality (Art. 32 para. 1 lit. b DS-GVO)
I. Physical admission control measures
- Realization of the access protection to the premises is ensured through security service, video surveillance in the entrance area as well as electronic / binding access control system
- Rooms are secured by security locks / smart card reader
- Determination of authorized persons
- Management and documentation of personal access authorizations
- Access control of visitors and external personnel
- Monitoring of the rooms outside the closing hours through security locks / smart card reader and security service
II. System access control measures
- Access protection to all data processing systems through user authentication
- Existence of boot passwords (desktop and laptops)
- Full encryption of hard disks in standby and off state
- WLAN security through deactivation of insecure methods (e.g. WPS, WPA), password policies and a separate guest network
- Access data, in particular passwords, are managed in password managers
- Strong authentication with the highest level of protection by use of mechanisms that require both possession and knowledge for authentication (2-step authentication) or Time-based One-Time-Password (TOTP) + access data
- Authentication secrets are transmitted over the network only in encrypted form
- Blocking in case of failed attempts and process for resetting blocked access IDs through access blocking after 3 failed attempts and secure lock reset procedure
- Users are instructed about the prohibition of saving passwords and/or form entries (clients) (e.g. through storage in the browser, "password databases," or sticky notes)
- Determination of authorized persons through the existence of role concepts (predefined user profiles), individually assigned access rights as well as regular reviews of authorized persons
- Management and documentation of personal authentication media and access authorizations through a defined process for requesting, approving, issuing and withdrawing authentication media and access authorizations
- Logging of the access through archived successful and rejected access attempts (used identifier, computer, IP address) and random evaluations
- Measures at the user's workplace
- If the workstation or terminal is inactive for more than 5 minutes, the system must be password protected
- Workstations and terminals are protected against unauthorized use by the employee when temporarily leaving the workplace
- All employees are trained and comply to measures to protect the user workplace
III. Data access control measures
- Existence of rules and procedures for creating, modifying, deleting authorization profiles or user roles.
- Use of passwords and defined password rules
- The scope of the authorizations is limited to the minimum necessary for the respective task or function fulfillment (logically, temporally, etc.).
- Management and documentation of personal access authorizations by means of a process for granting and revoking access authorizations and checking them, linking authorizations to an account, revoking them if the authorization is no longer valid, and retaining the documentation
- Appropriate measures have been taken to prevent the concentration of different roles or access rights on one person from giving this person an overpowering overall control in combination
- Logging of data access by archiving read, input, change and delete transactions
- Secure and encrypted storage of data media
IV. Data separation control measures
- Implementation and documentation of a separation of functions (e.g. dual control principle)
- Existence of guidelines and work instructions
- Existence of procedural documentation
- Technical and organizational regulations and measures are in place to ensure separate processing (storage, modification, deletion and transfer, etc.) and/or storage of data and/or data carriers with different contractual purpose
V. Pseudonymization measures (Art. 32 para. 1 lit. a DS-GVO; Art. 25 para. 1 DS-GVO)
- Instruction of employees on the general implementation of pseudonymization, unless a personal reference is absolutely necessary for processing
- Instruction of employees on pseudonymization of data during communication and processing with subcontractors
2. Integrity (Art. 32 para. 1 lit. b DS-GVO)
I. Transfer control measures
- Existence of a regulation for the making of copies
- Safety gateways through activated network/hardware firewalls and personal/desktop firewalls activated by the user
- Secure storage of data through encryption
- The use of mobile data carriers is limited to a minimum and takes place exclusively in encrypted form
- Employees are trained on existing procedures for data medium management
- Mandatory packaging and shipping regulations exist for the transport of personal data by means of data carriers
- There are regulations for the destruction of data media and documents in compliance with data protection requirements
- For a data protection-compliant deletion/destruction process, data carriers as well as hardware components are deleted in a data protection-compliant manner before they are reused by other users; recovery of the deleted data is not possible at all or only with disproportionate effort
- Deletion logs by logging the complete, data protection-compliant and permanent deletion of data or data carriers with customer data of the client and log archiving
II. Input control measures
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- The entry, modification and deletion of data are logged and archived
- Traceability of input, modification and deletion of data through individual user names
III. Availability and resilience control measures (Art. 32 para. 1 lit. b DS-GVO)
- A backup concept exists, including the designation of the responsible person and representative, and it is regularly checked whether it is possible to restore a backup
- An emergency plan exists in which the steps to be taken are listed and it is determined which persons, in particular also on the part of the customer, are to be informed about the incident
- Regular control of the condition and markings of data carriers for data backups
- Existence of an up-to-date antivirus program
3. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
I. Data protection management / Measures for regular review, assessment and evaluation
- Selection of a data protection officer
- Determination of the testing rhythms
- Control of the implementation of the evaluation
- Evaluation of the results
- Adjustment of the TOM if necessary
II. Incident response management measures
- Identification of possible cases of data breach
- Description of the process what has to happen in case of a data breach
- Description of responsibilities
- Description of the technical procedure for eliminating a data breach
III. Data protection-friendly default settings measures (Art. 25 (2) DS-GVO)
- Creation of a concept for data protection by technology ("privacy by design")
- Creation of a concept for data protection-friendly default settings ("privacy by default")
- Minimize the amount of data collected
- Reduction of the scope of data processing
- Reduction of storage periods
- Making the accessibility of the data more difficult
IV. Order control measures
- Selection of the contractor under due diligence aspects (especially with regard to data security)
- Written instructions to the contractor (e.g. by order data processing contract)
- Effective control rights vis-à-vis the contractor agreed
- Contractual penalties for violations
- Prior review and documentation of the security measures taken at the contractor's site.
- Obligation of the contractor's employees to maintain data secrecy
- Ensuring the destruction of data after the completion of the order
- Ongoing review of the contractor and its activities
Exhibit 2 –
Data Processing Agreement
in accordance with art. 28 General Data Protection Regulation (GDPR)
Subcontractingrelationships
The Client consents to the engagement of the following subcontractors subject to the condition of a contractual agreement in accordance with Article 28 (2-4) of the GDPR:
Subcontractor
Address/Country
Purpose
Microsoft Ireland Operations Limited
The Atrium Building
Block B, Carmanhall Road
Sandyford Business Estate
Dublin 18, Ireland
E-mail system, data storage, server location Germany
Adobe Systems Software Ireland Limited
4-6 Riverwalk
CitywestBusiness Campus
Dublin 24, Ireland
Sending / storing of digital signatures
Commehr GmbH
Nürnberger Straße 38
10777 Berlin
Germany
Service provider for IT security, IT maintenance, ITconsulting
Freshworks Ltd.
Neue Grünstraße 17
10179 Berlin
Germany
Customer Support & Ticketing System
Finui GmbH
Blumenstraße 47
10243 Berlin
Germany
Invoice approval process, ticketing system, datastorage medium
Northwind – Payroll Service & HR Consulting UG(hb)
Carl-von-Ossietzky-Weg 63
21684 Stade
Germany
Payroll administrator
Clockodo GmbH
Viktoriastraße 25 A
5
Germany
Time tracking system
DATEV eG
Paumgartner Street 6-14
90429 Nuremberg
Germany
Commercial financial accounting
Easybill GmbH
Düsselstraße 21
41564 Kaarst
Germany
Processing, creation and storage of invoices
Netzwerk Dresden GmbH
Fritz-Meinhardt-Straße 70
01239 Dresden
Germany
DATEV system partner as service provider