‍1. Subject matter and duration of the contract

(1) Object

The subject matter of the order results from the respective conclusion of the contract between KUNO and the client, which is referred to here (hereinafter framework agreement).

(2) Duration

The order is limited to the term of the framework agreement and can be terminated by both parties in accordance with the applicable general terms and conditions (available in their current form at www.kuno.io). The option to cancel without notice remains unaffected by this. In any case, the contract ends with the effective termination of the framework agreement.

2. Specification of the content of the order

(1) Type and purpose of the intended processing of data

• The nature and purpose of the processing of personal data by the contractor for the client are specifically described in the framework agreement.
• The contractually agreed data processing is provided exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met. The appropriate level of protection for subcontractors in the United States of America is established through standard data protection clauses (Art. 46 (2) lit. c and d GDPR) and other measures (use of data servers in the European Union).

(2) Type of data

The subject matter of the processing of personal data is the following types and categories of data

a) Subject matter of processing of personal data in the area of human resources and payroll accounting:

• contact details (e.g. first and last name, address, email address, telephone number)
• correspondences
• Identification numbers (such as social security number, tax ID, passport or identity card number, insurance number)
• Payment data (e.g. account number, credit card number, financial institution)
• Physical characteristics (e.g. application photos)
• Awards (e.g. certificates and certificates)
• Information about ethnic and cultural origin
• Information about political, religious and philosophical beliefs (e.g. church tax certificate)
• Health data (e.g. medical diagnoses, certificates of incapacity for work)
• Information about trade union affiliations
• Genetic and biometric data (e.g. gender, facial geometry)

b) Subject matter of personal data processing in the area of finance:

• contact details (e.g. first and last name, address, email address, telephone number)
• correspondences
• Payment data (e.g. account number, credit card number, financial institution)
• customer data (e.g. billing data, user profiles, address, order history, payment data, CRM data)

(3) Categories of affected persons

The categories of persons affected by the processing include:

• customers
• interested parties
• employees
• suppliers
• sales representative
• contact person
• contenders
• business partner
• investors

‍

3. Technical-organizational measures

(1) The contractor must document the implementation of the technical and organizational measures set out and required in advance of awarding the contract before the start of processing, in particular with regard to the specific execution of the order, and hand it over to the client for review. If accepted by the client, the documented measures become the basis of the order. Insofar as the audit/audit of the client reveals a need for adjustment, this must be implemented by mutual agreement.

(2) The contractor must provide security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In doing so, account must be taken of the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR (details in Appendix 1).

(3) The technical and organizational measures are subject to technical progress and development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the defined measures must not fall below. Significant changes must be documented.

‍

4. Dealing with data subject rights

(1) Insofar as a data subject asserts their rights as a data subject directly against the contractor, the contractor will immediately forward this request to the client. The contractor may not correct, delete, restrict their processing or provide information about the data processed on behalf of the client on his own authority, but only in accordance with documented instructions from the client.

(2) Following the documented instructions from the client, the contractor shall immediately carry out the required deletion, correction, restriction, transfer of data or information and shall provide the client with written evidence of this.

‍

5. Quality assurance and other obligations of the contractor

In addition to compliance with the provisions of this order, the contractor has legal obligations in accordance with Articles 28 to 33 GDPR; in this respect, he guarantees compliance with the following requirements in particular:

1. Written appointment of a data protection officer who performs his duties in accordance with Articles 38 and 39 GDPR. The contractor's data protection officer is currently: Intelliant GmbH, represented by Philipp Dannenberg, Immanuelkirchstraße 3-4, 10405 Berlin, dpo@intelliant.de
2. Maintaining confidentiality in accordance with Art. 28 para. 3 p. 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the contractor only uses employees who are committed to confidentiality and have previously been familiarized with the data protection regulations relevant to them. The contractor and any person subordinate to the contractor who has access to personal data may only process this data in accordance with the instructions of the client, including the powers granted in this contract, unless they are legally obliged to process them.
3. The implementation and compliance with all technical and organizational measures required for this mandate in accordance with Art. 28 para. 3 p. 2 lit. c, 32 GDPR (details in Appendix 1).
4. d) The client and the contractor shall, upon request, cooperate with the supervisory authority in the performance of their duties.
5. The immediate information to the client about control acts and measures taken by the supervisory authority, insofar as they relate to this order. This also applies if, as part of administrative offense or criminal proceedings, a competent authority determines the processing of personal data when processing orders with the contractor.
6. Insofar as the client is in turn exposed to control by the supervisory authority, administrative offense or criminal proceedings, the liability claim of a data subject or a third party, or any other claim in connection with order processing by the contractor, the contractor must support him to the best of his ability.
7. The contractor regularly checks internal processes and technical and organizational measures to ensure that processing in its area of responsibility is carried out in accordance with the requirements of applicable data protection law and that the rights of the data subject are protected.
8. Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of its supervisory powers in accordance with section 7 of this contract.

‍

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this provision are services which relate directly to the provision of the main service. This does not include ancillary services that the contractor uses, for example, as telecommunications services, mail/transport services, maintenance and user services or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the client's data, even in the case of outsourced ancillary services.

(2) The contractor may only commission subcontractors (other contract processors) with the prior express written or documented consent of the client.

1. The client agrees to the appointment of Appendix 2 subcontractors listed under the condition of a contractual agreement in accordance with Article 28 (2-4) of the GDPR;
2. Outsourcing to subcontractors or changing an existing subcontractor is permitted, provided that:

• the contractor notifies the client of such outsourcing to subcontractors a reasonable amount of time in advance in writing or in text form and
• the client does not object to the planned outsourcing in writing or in text form to the contractor one calendar week before the date of transfer of the data, and
• a contractual agreement in accordance with Article 28 (2-4) of the GDPR is based.

(1) The transfer of the client's personal data to the subcontractor and his initial action are only permitted if all conditions for subcontracting have been met.

(2) If the subcontractor provides the agreed service outside the EU/EEA, the contractor ensures admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

(3) Further outsourcing by the subcontractor requires the express consent of the main contractor (at least in writing). All contractual regulations in the contract chain must also be imposed on the other subcontractor.

7. Client's control rights

(1) The client has the right, in consultation with the contractor, to carry out reviews of the contractor's technical and organizational measures or to have them carried out by auditors to be appointed in individual cases, provided that they are not in a competitive relationship with the contractor. He has the right to verify that the contractor complies with this agreement in its business operations by means of sample checks, which must usually be reported in good time.

(2) The contractor shall ensure that the client is satisfied that the contractor has met its obligations under Article 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.

(3) Evidence of such measures, which relate not only to the specific mandate, may be provided by

• compliance with approved rules of conduct in accordance with Article 40 GDPR confirmed by an independent body (e.g. data protection officer, IT security department, data protection auditors, quality auditors), or
• current tests, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officer, IT security department, data protection auditors, quality auditors) are carried out.

(4) For facilitating checks by the client, the contractor may assert a claim for compensation.

8. Notification of violations by the contractor

(1) The contractor supports the client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting requirements in the event of data breaches, data protection impact assessments and prior consultations. This includes

1. ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of processing as well as the predicted probability and severity of a potential infringement due to security breaches and enable relevant infringement events to be identified immediately,
2. the obligation to report breaches of personal data to the client immediately,
3. the obligation to assist the client as part of its obligation to provide information to the person concerned and to provide him with all relevant information immediately in this context, the support of the client for its data protection impact assessment,
4. assisting the client in the context of prior consultations with the supervisory authority.

(2) The contractor may claim compensation for support services that are not included in the service description or are not attributable to misconduct on the part of the contractor.

‍

9. Client's authority to issue instructions

(1) The client will confirm oral instructions immediately (at least in text form).

(2) The contractor must immediately inform the client if he believes that an instruction violates data protection regulations. The contractor is entitled to suspend execution of the relevant instruction until it is confirmed or amended by the client at least in text form.

‍

10. Deletion and return of personal data

(1) Copies or duplicates of the data will not be made without the knowledge of the client. This does not include backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with legal storage obligations.

(2) After completion of the contractually agreed work or earlier upon request by the client — at the latest upon termination of the framework agreement — the contractor must hand over to the client all documents, processing and use results created and data relating to the contractual relationship or destroy them in accordance with data protection law after prior consent. The same applies to test and scrap material. The deletion log must be provided upon request.

(3) Documentation that serves as proof of the order and proper data processing must be kept by the contractor beyond the end of the contract in accordance with the respective retention periods. To relieve him, he may hand them over to the client at the end of the contract.

1. Confidentiality (Article 32 (1) (b) GDPR)

I. Access control measures

1. Implementation of access protection to the establishment is ensured by security services, video surveillance in the entrance area and electronic/mandatory access control
2. Rooms are secured by security locks/smart card readers
3. Definition of persons authorized to access
4. Administration and documentation of personal access authorizations
5. Access control for visitors and external personnel
6. Monitoring of rooms outside closing times with security locks/chip card readers and security service

II. Access control measures

1. Access protection to all data processing systems through user authentication
2. Existence of boot passwords (desktop and laptops)
3. Full encryption of hard drives in standby and switched off
4. WLAN security by disabling insecure procedures (e.g. WPS, WPA), password policies and a separate guest network
5. Login data, in particular passwords, are managed in password managers
6. Strong authentication with the highest level of protection through the use of mechanisms that require both ownership and knowledge for authentication (2-stage authentication) or through time-based one-time password (TOTP) + login data
7. Authentication secrets are only transmitted over the network in encrypted form
8. Blocking in case of failed attempts and process for resetting blocked access IDs by blocking access in the event of 3 failed attempts and secure procedure for resetting the lock
9. Users were informed about the prohibition of the storage function for passwords and/or form entries (clients) (e.g. by saving them in the browser, “password databases” or sticky notes)
10. Definition of authorized persons through role concepts (predefined user profiles), individual allocation of access rights and regular review of authorized persons
11. Administration and documentation of personal authentication media and access authorizations through a defined process for applying for, approving, issuing and withdrawing authentication media
12. Logging of access by archiving all successful and rejected access attempts (used ID, computer, IP address) and random evaluation
13. Employees are trained and committed to measures to protect the user's workplace.

III. Access control measures

1. Existence of rules and procedures for creating, changing, deleting authorization profiles or user roles
2. Use of passwords and defined password rules
3. The scope of authorizations is limited to the minimum required to perform the respective task or function (logical, temporal, etc.)
4. Administration and documentation of personal access rights through a process for granting and withdrawing access authorizations and their verification, linking authorizations to an account, revocation when authorization ceases to exist, and storage of documentation
5. Appropriate measures have prevented the combination of different roles or access rights on one person from giving him an overwhelming overall role
6. Logging data access by archiving read, input, change, and delete transactions
7. Secure storage and encryption of data carriers.

IV. Separation control measures

1. Implementation and documentation of a separation of functions (e.g. four-eyes principle)
2. Existence of guidelines and work instructions
3. Existence of procedural documentation
4. There are technical and organizational regulations and measures to ensure the separate processing (storage, alteration, deletion and transfer, etc.) and/or storage of data and/or data carriers with different contractual purposes.

V. Pseudonymization measures (Article 32 (1) (a) GDPR; Article 25 (1) GDPR)

1. Instructions to employees on the general implementation of pseudonymization, unless a personal reference is absolutely necessary for processing
2. Instructions for employees to pseudonymize data when communicating and processing with subcontractors.

‍

2. Integrity (Art. 32 para. 1 lit. b GDPR)

I. Transfer control measures

1. Existence of a system for making copies
2. Security gateways at network transfer points through activated network/hardware firewalls and personal/desktop firewalls
3. Secure storage of data through encryption
4. The use of mobile data carriers is limited to a minimum and is exclusively encrypted
5. Employees are trained on existing procedural regulations for data carrier management
6. There are mandatory packaging and shipping regulations for the transport of personal data using data carriers
7. There are regulations for the destruction of data carriers and documents in accordance with data protection regulations
8. For a data protection-compliant erase/destruction process, data carriers and hardware components are deleted in accordance with data protection regulations before being reused by other users; recovery of the deleted data is not possible at all or is only possible with disproportionate effort
9. Deletion logs by logging the complete, privacy-compliant and permanent deletion of data or data carriers with customer data from the client and log archiving

II. Input control measures

1. Allocation of rights to enter, change and delete data based on an authorization concept
2. The entry, change and deletion of data are logged and archived
3. Traceability of entry, change and deletion of data through individual user names

III. Availability and resilience measures (Article 32 (1) (b) GDPR)

1. There is a backup concept including the appointment of responsible person and representative and it is regularly checked whether it is possible to restore a backup
2. There is an emergency plan which outlines the steps to be taken and determines which persons, in particular on the part of the client, must be notified of the incident.
3. Regular monitoring of the status and markings of data carriers for data backups
4. Existence of an up-to-date virus protection program

‍

3. Procedure for regular review, evaluation and evaluation (Article 32 (1) (d) GDPR; Article 25 (1) GDPR)

I. Data protection management/ measures for regular review, evaluation and evaluation

1. Selecting a data protection officer
2. Defining the test rhythms
3. Monitoring the implementation of the evaluation
4. Evaluation of results
5. If necessary. Adjusting the TOM

II. Incident response management measures

1. Identifying possible cases of a data breach
2. Description of the process that has to happen in the event of a data breach
3. Description of responsibilities
4. Description of the technical process for resolving a data breach

III. Measures for privacy-friendly default settings (Article 25 (2) GDPR)

1. Development of a concept for data protection through technology (“privacy by design”)
2. Development of a concept for privacy-friendly default settings (“privacy by default”)
3. Minimize the amount of data collected
4. Reducing the amount of data processing
5. Reducing storage periods
6. Making data more difficult to access

IV. Order control measures

1. Selection of the contractor from the point of view of care (in particular with regard to data security)
2. Written instructions to the contractor (e.g. through an order processing contract)
3. Effective control rights agreed against the contractor
4. Contractual penalties for violations
5. Prior review and documentation of security measures taken by the contractor
6. Commitment of contractor employees to data secrecy
7. Ensuring the destruction of data after completion of the order
8. Ongoing review of the contractor and his activities