ANNEX DPA: DATA PROCESSING ADDENDUM - CORP
Preamble
KYP.ai Corp. ("Contractor") provides the KYP.ai Software for process analysis and optimization to the Customer as SaaS. The Customer’s usage of the Software includes the processing of personal data by the Contractor on instruction of the Customer.
This Data Processing Addendum ("DPA") specifies, as part of the main Contract, the obligations of both parties to comply with applicable data protection law, in particular the requirements of the EU General Data Protection Regulation ("GDPR").
Scope and Instructions
2.1 The Contractor shall process personal data on behalf of the Customer. The subject of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in the main agreement and in Schedule A to this DPA.
2.2 The Contractor may process data of data subjects only within the scope of the Main Agreement and the documented instructions of the Customer. The instructions shall initially be determined by the Main Agreement and may thereafter be amended, supplemented, or replaced by the Customer in text form. Verbal instructions shall be confirmed by the Customer in text form without delay.
2.3 Unless otherwise instructed by the Customer, the data processing shall take place exclusively within the European Union or the EEA. Any relocation of the data processing to a third country outside the European Union or the EEA shall require the express consent of the Customer.
2.4 If the Contractor is obliged to process personal data under the law of the Union or the Member State to which the Contractor is subject, the Contractor shall inform the Customer thereof in writing prior to the respective processing, unless the law prohibits such information for important reasons of public interest. In the latter case, the Contractor shall inform the Customer without undue delay as soon as this is legally possible for the Contractor.
2.5 The Contractor shall inform the Customer immediately if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Customer.
Technical and Organizational Measures
3.1 The Contractor undertakes vis-à-vis the Customer to comply with the technical and organizational measures required to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 GDPR.
3.2 The status of the technical and organizational measures existing at the time of the conclusion of this DPA is documented in Schedule B to this DPA. The Parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor reserves the right to change the security measures taken, but it must be ensured that the contractually agreed level of protection is not undercut. The Customer may request a current overview of the technical and organizational measures taken by the Contractor at any time.
Data Subject Rights
4.1 The Contractor shall support the Customer within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR (in particular information, correction, blocking or deletion). Insofar as the cooperation of the Contractor is necessary for the protection of data subject rights by the Customer, the Contractor shall take the measures required in each case in accordance with the instructions of the Customer. The Contractor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests for the exercise of data subject rights.
4.2 The Contractor may only provide information to third parties or the person concerned with the prior consent of the Customer. The Contractor shall immediately forward any inquiries addressed directly to it to the Customer.
Other Obligations of the Contractor
5.1 The Contractor shall inform the Customer without undue delay, at the latest within 24 hours, if it becomes aware of any personal data breach related to the personal data processed on the Customer’s instruction.
5.2 In connection with the processing, the Contractor shall support the Customer in creating and updating the register of processing activities and, if necessary, in conducting a data protection impact assessment. All required information and documentation shall be made available to the Customer without undue delay upon request.
5.3 If the Customer is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the Contractor undertakes to support the Customer to the extent necessary insofar as the processing under the Contract is affected.
5.4 The persons employed by the Contractor for processing have committed themselves in writing to confidentiality, have been familiarized with the relevant provisions of data protection and are instructed and monitored appropriately on an ongoing basis with regard to compliance with data protection requirements.
5.5 The Contractor shall assist the Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to it.
Rights and Obligations of the Customer
6.1 The Customer alone is responsible for assessing the permissibility of the instructed processing and for safeguarding the rights of the affected data subjects.
6.2 The Customer shall be entitled to audit and inspect the Contractor's compliance with the provisions on data protection and the contractual agreements to a reasonable extent itself or through third parties. The persons entrusted with the control shall be given access and insight by the Contractor to the extent necessary and possible. The Contractor shall be obliged to provide the necessary information, demonstrate processes, and provide evidence required to carry out an audit or inspection. Inspections at the Contractor's premises shall be carried out without any avoidable disruptions to business operations. Unless otherwise indicated for urgent reasons to be documented by the Customer, inspections shall take place after reasonable advance notice and during the Contractor's business hours and not more frequently than every 12 months.
Sub-Processors
7.1 The commissioning of sub-processors by the Contractor shall only be permissible with the consent of the Customer. The Customer consents to the engagement of sub-processors in accordance with the Sub-Processor Overview, attached hereto as Schedule C to this DPA. The Sub-Processor Overview also defines the process for future changes to sub-processors.
7.2 The Contractor shall carefully select sub-processors and check before commissioning that they can comply with the agreements made between the Customer and the Contractor. In particular, the Contractor shall check that all sub-processors have taken the technical and organizational measures for the protection of personal data required under Art. 32 GDPR.
7.3 Services which the Contractor uses from third parties as a purely ancillary service in order to carry out the business activity shall not be regarded as subprocessing relationships within the meaning of this Data Processing Agreement. This includes, for example, cleaning services, pure telecommunications services without any specific reference to services that the Contractor provides for the Customer, postal and courier services, transport services and guarding services.
7.4 The commissioning of sub-processors shall not affect the contractual and data protection obligations of the Contractor towards the Customer. The Contractor shall be liable for acts and omissions of its sub-processors as if they were its own acts or omissions.
Deletion and Return of Personal Data
8.1 Copies or duplicates of the data will not be made without the knowledge of the Customer. Excluded from this are security copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory retention obligations.
8.2 Upon expiry/termination of the Main Agreement or earlier upon request by the Customer, the Contractor shall hand over the personal data processed on instruction of the Customer to the Customer or delete the data in accordance with data protection requirements.
8.3 Documentation that serves as proof of the orderly and proper data processing shall be retained by the Contractor in accordance with the respective retention periods beyond the expiry/termination of the Main Agreement.
SCHEDULE A: DESCRIPTION OF THE PROCESSING
Controller and Processor
The Customer is a data controller within the meaning of the GDPR and uses the KYP.ai Software as SaaS in order to analyze and optimize its internal processes. Data collected locally from local computers or VMs is transferred to the Server, where the data is stored, aggregated and analyzed. The results and analyzes are presented to the Customer via the Frontend. Both Server and Frontend are provided as Software as a Service (SaaS) to the Customer.
Data Subjects
The personal and business data processed on instruction concerns employees of the Customer whose processes or activities are being analyzed as well as the data the employees are processing.
Data Categories
The personal data processed on instruction belong to the following categories of data:
Surname and first name;
Job title;
Employee number;
Email address;
Device information;
Data on the analyzed activity of the respective employee,
Other data provided to the Contractor by the Customer for the performance of its services or collected by the Contractor for the Customer in the course of the performance of the Contractor's services.
Special Categories of Personal Data
The personal data processed on instruction of the Customer do not regularly include special categories of personal data pursuant to Art. 9 GDPR (e.g. health data), unless such special categories of personal data are made available to the Contractor by the Customer for the performance of the Contractor's services or are collected by the Contractor in the course of the performance of its services on the instruction and on behalf of the Customer.
Subject and Duration of Processing
The personal data processed on instruction shall be processed for the performance of the Contractor's services agreed in the Main Agreement. The data shall be processed on the instructions of the Customer as defined in this Data Processing Agreement. The data shall be deleted, as defined above, at any time upon instruction of the Customer. The data will be deleted upon expiry/termination of the Main Agreement. The Customer may export the data at any time. The duration of the processing and the term of this Data Processing Agreement correspond to the duration/term of the Main Agreement.
SCHEDULE B: TECHNICAL AND ORGANIZATIONAL MEASURES
The following technical and organizational measures within the meaning of Art. 32 GDPR have been taken by the Contractor:
CONFIDENTIALITY
1.1 Physical Access Control Hosting/Data Center
The KYP.ai Software is hosted either on-premise at the Customer or in data centers provided by the Customer or by KYP.ai, as defined in the Order Form. For a detailed documentation of the technical and organizational data security measures taken in data centers provided by KYP.ai and any relevant certifications in the field of information security please refer to the documentation of the respective data center provider (e.g. for AWS https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html) or contact KYP.ai for such documentation.
1.2 System Access Control
To gain access to IT systems, users must have the appropriate access authorization. To this end, corresponding user authorizations are issued by administrators. However, this is only done if requested by the respective supervisor.
The user is then given a username and an initial password, which must be changed the first time the user logs in. The password defaults include a minimum password length of 8 characters, where the password must consist of upper/lower case letters, numbers, and special characters.
Passwords are changed every 90 days. Exceptions to this are passwords with a minimum length of 32 characters. Here, an automatic password change is not indicated.
A password history is stored. This ensures that the past 10 passwords cannot be used again. Incorrect login attempts are logged. If the wrong password is entered 3 times, the respective user account is blocked.
Remote access to IT systems of the Contractor always takes place via encrypted connections.
An intrusion prevention system is in use on the servers. All servers are protected by firewalls that are always maintained and supplied with updates and patches.
Access by servers and connect apps to the Internet and access to these systems via the Internet is also secured by firewalls. This also ensures that only the ports required for the respective communication can be used. All other ports are blocked accordingly.
All employees are instructed to lock their IT systems when they leave them. Passwords are always stored in encrypted form.
1.3 Data Access Control
Authorizations for IT systems and applications of the Contractor are set up exclusively by administrators.
Authorizations are always granted according to the need-to-know principle. Accordingly, only those persons are granted access rights to data, databases or applications who maintain and service these data, applications or databases or are involved in their development.
The prerequisite is a corresponding request for authorization for an employee by a supervisor. The request can also be submitted to the HR department.
There is a role-based authorization concept with the option of differentiated assignment of access rights, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if necessary, on a project basis.
Employees are generally prohibited from installing unauthorized software on IT systems.
All server and connect app systems are regularly updated with security updates.
1.4 Separation
All IT systems used by the Contractor for customers are multi-connect app capable. The separation of data from different customers is always guaranteed.
1.5 Pseudonymization & Encryption
Administrative access to server systems is always via encrypted connections.
In addition, data on server and connect app systems may be stored on encrypted data carriers and corresponding hard disk encryption systems can be in use based on Customer demand.
INTEGRITY
2.1 Input Control
The entry, modification and deletion of personal data processed by the Contractor on instruction is always logged.
Employees are obliged to always work with their own accounts. User accounts may not be shared or used jointly with other persons.
2.2 Transfer Control
A transfer of personal data, which takes place on behalf of a customer, may in each case only take place to the extent as agreed with the customer or insofar as this is necessary for the provision of the contractual services for the customer.
All employees working on a customer project are instructed with regard to the permissible use of data and the modalities of data disclosure.
As far as possible, data is transmitted to recipients in encrypted form.
The use of private data carriers is prohibited for employees of the Contractor in connection with customer projects.
Employees of the Contractor are regularly trained on data protection topics. All employees are committed to confidential handling of personal data.
AVAILABILITY AND RESILIENCE
Data on the Contractor’s server systems is backed up incrementally at least daily and "fully" weekly. The backup media are encrypted and moved to a physically separate location.
The import of backups is tested regularly.
The IT systems have an uninterruptible power supply. The server room is equipped with a fire alarm system and a CO2 extinguishing system. All server systems are subject to monitoring, which immediately triggers messages to an administrator in the event of malfunctions.
The Contractor implemented an emergency plan, which also includes a business continuity and disaster recovery plan.
ORDER CONTROL
Unless instructed otherwise by the Customer, the KYP.ai Software is hosted in the European Union.
The Contractor designated a data protection officer.
When external service providers or third parties are involved, a data processing agreement is concluded in accordance with the requirements of the applicable data protection law after a prior audit by the Contractor. Any external contractors are also regularly monitored during the contractual relationship.
PRIVACY BY DESIGN AND PRIVACY BY DEFAULT
KYP.ai makes sure that the principle of necessity is already taken into account in connection with user interfaces during the development of the Software. For example, mandatory fields can be provided, or fields can be deactivated.
PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATION
KYP.ai implemented a comprehensive data protection management system, including detailed policies on data protection and information security.
A Data Protection and Information Security Team has been established to plan, implement, evaluate and adjust measures in the area of data protection and information security. All implemented measures and all policies are regularly evaluated and adjusted with regard to their effectiveness.
In particular, it is ensured that data protection incidents are recognized by all employees and are reported to the Data Protection and Information Security Team without undue delay. The Data Protection and Information Security Team will immediately investigate every incident. If data is affected that are processed on instruction of connect app, it is ensured that the respective connect apps are informed about the type and extent of the incident immediately.
SCHEDULE C: LIST OF SUB-PROCESSORS
KYP.ai uses the following sub-processors in the performance of the services under the Main Agreement:
Sub-Processor | Services of the Sub-Processor | Processing Location |
|---|---|---|
Hosting Provider defined in the Order Form (if provided by KYP.ai) | Hosting of the KYP.ai Software (IaaS) | as defined in the Order Form |
KYP.ai Sp. z o.o., Tychy, Poland | Service/Support | Poland |
KYP.ai GmbH, Berlin, Germany | Service/Support | Germany |
The Contractor may terminate the commissioning of individual sub-processors or commission additional sub-processors. When commissioning additional sub-processors, the Contractor shall inform the Customer electronically about the planned use of the additional sub-processor at least 30 days prior to its use. If the Customer has a material reason to object to the use of a sub-processor, the Customer shall notify the Contractor thereof in writing no later than 15 days after being informed of the planned use of the sub-processor, stating the material reason. If the Customer does not object within this period of time, the use of the additional sub-processor shall be deemed approved by the Customer.
If Customer objects, Contractor may cure the objection as follows: (1.) Contractor shall not use the additional sub-processor for the processing of Customer's Personal Data; or (2.) Contractor shall take steps to eliminate the substantial reason for Customer's objection; or (3.) Contractor may temporarily or permanently cease providing the aspect of the Service affected by the use of the additional sub-processor to Customer and refund to Customer any compensation already paid in advance for the provision of the aspect of the Service. If none of these three options is feasible and the objection has not been remedied within 15 days after receipt of the objection, either party may terminate the Contract extraordinarily with reasonable notice.