AK Digital RMP Platform-as-a-Service
AK DIGITAL LLC PLATFORM-AS-A-SERVICE (PAAS) SCHEDULE DATA PROCESSING AGREEMENT PURSUANT TO ART. 28 GDPR
All capitalized terms have the meaning as defined in GERNERAL TERMS AND CONDITONS and Order Form (the Contract).
1. SCOPE OF THIS SCHEDULE DPA
AK Digital LLC renders the Platform Services to Client and its Users, which requires the collection and processing of Client Data. This Schedule Data Processing agreement (hereinafter “DPA”) specifies the obligations of Client (as data controller) and AK Digital LLC (as data processor) under data protection law resulting from any processing of Client Data, which arise from the provision, operation and use of the Platform Services in accordance with the Contract.
2. SUBJECT MATTER AND DURATION OF PROCESSING
2.1 AK Digital LLC will process Client Data on behalf of Client, who acts as data controller (Art. 4 no. 7 GDPR) and determines the purposes of the respective processing.
2.2 The subject matter of processing Client Data is the provision and operation of the Platform Services to Client and its Users, as specified in this Schedule DPA and the Contract. The term of this Schedule DPA is subject to the term of the Contract. If the Contract is terminated, this Schedule DPA shall end.
2.3 The scope, type and purpose of processing Client Data is to (a) provide; (b) operate; and (c) enable Client and its Users to use the Platform Services as set out in the Contract. The types of Client Data and the categories of data subjects affected is set out in Annex 1.
2.4 Some processing of Client Data takes place in a member state of the European Union (EU) or another member state to the agreement on the European Economic Area (EEA). Transfer to and processing of Client Data in a country, which is not a member state of the EU or another member state of the EEA, is approved as to the sub processors disclosed hereinand shall only occur, if the specific safeguards of Art. 44 et seq. GDPR have been fulfilled in order to ensure an adequate level of data protection. AK Digital LLC establishes such level of adequate data protection through the conclusion of EU Standard Contractual Clauses (Art. 46 para. 2 lit. c and d in conjunction with Art. 47 GDPR).
3. CLIENT’S RESPONSIBILITIES AND GUARANTEES
3.1 As data controller (Art. 4 no. 7 GDPR) Client has sole responsibility over the legitimacy of processing of Client Data.
3.2 Client guarantees AK Digital LLC that it has
(a) collected and processes Client Data in a legal, loyal and transparent manner, for given, explicit and legitimate purposes and has duly informed data subjects affected in accordance with Art. 12 et seq. GDPR;
(b) respected its obligations (if applicable) to make a prior declaration pertaining to processing of Client Data with the competent supervisory authority; and
(c) checked prior to the use of the Platform Services that processing Client Data in the framework of the Platform Services complies with the purpose and means of Client Data submitted and made available by Client and its Users into the Platform Services.
4. TECHNICAL AND ORGANIZATIONAL MEASURES
4.1 AK Digital LLC shall implement all technical and organizational measures required by law to ensure a level of security appropriate to the risk of processing Client Data, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing Client Data as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. In particular, AK Digital LLC shall ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
4.2 AK Digital LLC shall document and provide to Client for verification, particularly regarding the specific fulfilment of this Schedule DPA, the implementation scheme for the technical and organizational measures, which are set out in Annex 2.
4.3 The technical and organizational measures are subject to technical progress and further development. AK Digital LLC shall therefore be entitled to implement alternative adequate measures without falling short of the security level and effectiveness of the measures originally defined.
5. RECTIFICATION, RESTRICTION AND ERASURE OF CLIENT DATA, DEALING WITH RIGHTS OF DATA SUBJECTS AS WELL AS DATA SUBJECT REQUESTS
5.1 To the extent possible within the functionalities of the Platform Services, Client itself shall rectify, erase or restrict Client Data. Outside of the scope of the aforementioned functionalities, AK Digital LLC shall rectify, erase or restrict (e.g. by way of blocking) Client Data, upon legitimate instruction by Client.
5.2 The Parties have the common understanding that Client shall handle requests of data subjects. In case a data subject directly addresses AK Digital LLC, requesting the rectification or erasure of personal data or a restriction of processing or asserting other statutory rights of data subjects, AK Digital LLC shall forward such data subject request or assertion to Client without undue delay.
5.3 AK Digital LLC shall support Client within a reasonable extent in the fulfilment of Client’s duties vis-à-vis data subjects, in particular, regarding their right of access, right to rectification, right to erasure, right to restriction of processing, the notification obligation regarding rectification or erasure, the right to data portability as well as the right to object.
6. AUDITS AND OTHER DUTIES OF AK DIGITAL LLC
In addition, AK Digital LLC shall have the following duties:
6.1 AK Digital LLC shall process the Client Data solely in accordance with the Contract, this Schedule DPA and legitimate instructions of Client in order to render the Platform Services.
6.2 AK Digital LLC shall assist Client to a necessary and reasonable extent in ensuring compliance with statutory obligations, notably in the performance of data protection impact assessments and with any necessary prior consultations of the competent supervisory authority.
6.3 AK Digital LLC shall provide Client with the contact details of its data protection officer. Such contact details are also published under the URL https://www.runmyprocess.com/imprint/
6.4 AK Digital LLC is obliged to ensure that its employees and vicarious agents etc. who are able to access Client Data undertake to comply with statutory data secrecy requirements and appropriate confidentiality obligations. Furthermore, AK Digital LLC’s employees and vicarious agents etc. shall be informed that the confidentiality subject to this Section 6.4 also continues after the termination of the activity. A statutory disclosure obligation remains unaffected hereof.
6.5 AK Digital LLC shall immediately inform Client of any measures and inspections by any supervisory authority regarding the processing of Client Data. The same shall apply in case of any investigations by a competent supervisory authority in the framework of administrative offences or criminal proceedings.
6.6 AK Digital LLC shall provide to Client within a reasonable extent all necessary information for creating a record of processing activities of Client Data. AK Digital LLC shall maintain a separate record of processing activities, possibly in electronic form, in line with statutory requirements.
6.7 AK Digital LLC shall carry out checks on the processing of Client Data relating to its area of responsibility as data processor in order to ensure compliance with this Schedule DPA.
6.8 AK Digital LLC shall make available to Client all information necessary to demonstrate compliance with applicable data protection law and shall allow for and contribute to audits, including inspections conducted by Client or another auditor mandated by Client only with regard to processing of Client Data under the scope of this Schedule DPA.
7. AUDIT RIGHTS
7.1 Client shall be entitled to verify compliance with (a) the obligations under applicable data protection law; and (b) this Schedule DPA, especially with the technical and organizational measures and legitimate instructions issued by Client.
7.2 For this purpose, Client shall have the right throughout the term of this Schedule DPA, in consultation with AK Digital LLC or through auditors to be designated in the individual case, who are suitable and obliged to confidentiality, to have appropriate inspections conducted at AK Digital LLC’s business establishment, where processing of Client Data takes place. These inspections shall be carried out without any avoidable disruptions. AK Digital LLC shall be entitled to object to the selection of the auditor on the grounds of an important reason (e.g. lack of reliability or competitive relationship to AK Digital LLC). With the exception of urgent, objectively justified reasons, which shall be documented accordingly by the Client, inspections in the business premises of AK Digital LLC shall be carried out after reasonable advance notice during the normal business hours of AK Digital LLC and not more frequently than every twelve (12) months.
7.3 AK Digital LLC undertakes at Client’s request, to provide to Client all relevant and necessary information and evidence to comply with applicable data protection law. With regard to the provision of evidence, AK Digital LLC may also present current attestations, reports or report extracts by independent third persons (such as certified public accountants, internal auditors, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection auditors. Client’s auditing rights under this Section 7 remain unaffected thereof, but the Parties have the common understanding that compliance checks will primarily be conducted via the provision of information and evidence subject to this Section 7.3.
8. SUB-PROCESSORS
8.1 The sub-processors approved by Client upon conclusion of the Contract are set out in Annex 1.
8.2 Client acknowledges and approves that AK Digital LLC may - in its free discretion - at any time change the Platform, provided that (a) AK Digital LLC has notified Client with reasonable time about the change of the Platform; (b) the new Platform offers performances at least equal to those of the Platform; (c) AK Digital LLC switches over to the new Platform without interruption of the Platform Services; (d) the new Platform respects all commitments of AK Digital LLC under this Schedule DPA; and (e) AK Digital LLC does not amend the fees for the Platform Services.
8.3 Other sub-processors may only be engaged if the following prerequisites are met:
(a) AK Digital LLC submits the engagement of a sub-processor to Client in written or text form with reasonable advance notice and Client does not object such engagement, which is only possible in cases of justified reasons.
(b) AK Digital LLC shall execute agreements with the sub-processors with basically comparable data protection provisions and obligations as those applicable between the Parties. In particular, AK Digital LLC shall ensure that sufficient guarantees are provided to implement technical and organizational measures. Further, the sub-processor shall grant Client basically comparable auditing and inspection rights, including Client’s right to obtain from AK Digital LLC, upon written request, information about content and implementation of relevant data protection obligations under the sub-processor’s relationship, where required through inspection of the associated documentation.
(c) Processing by sub-processors shall take place in a member state of the EU or another member state to the agreement on the EEA and in the location of approved subprocessors herein. Transfer to a sub-processor and its processing of Client Data in a country, which is not a member state of the EU or another member state of the EEA, is approved as to the subprocessors disclosed herein, and shall only occur, if the specific safeguards of Art. 44 et seq. GDPR have been fulfilled in order to ensure an adequate level of data protection. AK Digital LLC establishes such level of adequate data protection with the sub-processors through the conclusion of EU Standard Contractual Clauses (Art. 46 para. 2 lit. c and d in conjunction with Art. 47 GDPR).
8.4 AK Digital LLC shall remain liable to Client for the performance of the engaged sub-processor’s obligations.
9. REPORT OF BREACHES ON THE PART OF AK DIGITAL LLC
9.1 AK Digital LLC shall design the processing of Client Data, operational procedures and associated processes, systems and installations such that AK Digital LLC can detect and recognize any data protection violations and can report them.
9.2 AK Digital LLC shall notify Client without undue delay, if (a) a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Data; or (b) AK Digital LLC or its employees or vicarious agents etc. have breached any data protection regulations or the obligations stipulated herein. This duty shall also apply in the case of a serious disruption of operations or any other irregularities in handling Client Data.
9.3 AK Digital LLC is aware that Client, in the case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Data, is obliged to notify such breach not later than seventy-two (72) hours after having become aware of it. Consequently, AK Digital LLC is therefore obliged to support Client in the fulfilment of these notification obligations.
9.4 AK Digital LLC shall document any personal data breaches affecting Client Data, comprising the facts relating to the Client Data breach, its effects and the remedial action taken and shall in consultation with Client - and in case of imminent danger even without Client’s consent - take appropriate measures to safeguard Client Data and to mitigate any adverse consequences for data subjects.
10. CLIENT’S AUTHORITY TO ISSUE INSTRUCTIONS
10.1 Processing of Client Data shall be governed exclusively by (a) this Schedule DPA; (b) instructions that are possible within the functionalities of the Platform Services (e.g. login, change User name, change password, start a new Client Application instance, logout etc.), Client Applications and Client’s support tickets; as well as (c) any other reasonable and justified instructions by Client, which shall be documented in written or in text form in each case.
10.2 Client shall immediately confirm any oral instructions in written or text form.
10.3 AK Digital LLC shall not use the Client Data for any other purposes than the purposes laid out in this Schedule DPA and the Contract. AK Digital LLC shall not make any copies or duplicates without Client’s knowledge, with the exception of backup copies to the extent required to ensure proper processing as well as data required for compliance with statutory retention obligations.
10.4 AK Digital LLC shall immediately inform Client, if - in AK Digital LLC’s view - an instruction infringes any applicable data protection law. AK Digital LLC shall be entitled to suspend execution of the instruction concerned, until it is either confirmed or changed by Client.
11. DELETION OF CLIENT DATA AND RETURN OF DATA CARRIERS
11.1 The deletion concept is set out in Annex 1.
11.2 After the end of processing or at any earlier date required by Client and to the extent permitted by applicable data protection law, AK Digital LLC shall in accordance with Client’s legitimate instructions erase all Client Data. A deletion report shall be presented to Client upon request. This shall not apply where statutory duties of retention exist, which shall be documented and communicated to Client.
ANNEX 1 TO SCHEDULE DPA
TYPES OF CLIENT DATA, AFFECTED DATA SUBJECTS, DELETION OBLIGATIONS AND SUB-PROCESSORS
1. TYPES OF CLIENT DATA
(a) Master data of Users (e.g. name and email address)
(b) Transaction meta data of Users (e.g. User accounts, login IP addresses)
(c) Client Application data (e.g. User meta data)
(d) Client Data provided by Client and processed by the Client Application
2. AFFECTED DATA SUBJECTS
Affected data subjects are Users, i.e. Client’s employees, its service providers (including personnel) and its customers (including personnel).
3. DELETION OBLIGATIONS
All Client Data, Client Content and Client Applications stored in the Platform Services are deleted after the termination of the Contract and the reversibility period (as set out in Section 13 of the General Terms and Conditions), unless this is contradicted by statutory retention obligations of AK Digital LLC. In case of such statutory retention periods, AK Digital LLC will delete the respective Client Data, Client Content and/or Client Applications at the end of the applicable statutory retention period.
4. SUBPROCESSORS
| Sub-processor | Country | Function of Sub-processing | Further information |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Luxembourg (EU) | Hosting the platform | https://aws.amazon.com |
| SolarWinds MSP UK Limited | United States | Hosting the platform services log files | https://www.solarwinds.com/loggly |
Sub-processors who are involved in the processing of Client Data in the framework of the basic customer support services of the Platform Services are listed below:
| Sub-processor | Country | Function of Sub-processing | Further information |
|---|---|---|---|
| ZOHO CORPORATION B.V | Netherlands | Hosting customer support ticketing system | https://www.zoho.com/gdpr.html |
| Akorbi BPO LLC | Cape Verde | 24*7 customer support desk | |
| OKIN Techstra s.r.o. | Czech Republic | 2nd level customer support for the Platform Services | |
| PurpleTalk Inc | India | 3rd level customer support for the Platform Services |
ANNEX 2 TO SCHEDULE DPA
TECHNICAL AND ORGANIZATIONAL MEASURES
1. AK Digital LLC shall implement such technical and organisational security measures for Processing of any Client Data as provided in the Agreement and shall - upon written request - provide evidence of the implementation of such measures.
2. AK Digital LLC must have in place and maintain at least the following technical and organisational security measures, if and to the extent it is - in relation to the Platform Services - in AK Digital LLC' responsibility and under AK Digital LLC' control:
2.1 Equipment Access Control: AK Digital LLC shall take reasonable technical and organisational measures to deny unauthorised persons access to processing equipment used for processing. Unauthorised persons shall be prevented from gaining physical access to premises, buildings or rooms, where data processing systems are located which process Client Data; persons are unauthorised if their activity does not correspond to tasks assigned to them. Exceptions may be granted for the purpose of auditing the facilities to third party auditors as long as they are supervised by AK Digital LLC and do not get access to the Client Data itself.
AK Digital LLC shall in particular:
(a) specify authorized individuals;
(b) use an access control process to avoid unauthorized access to office rooms;
(c) have a access control process to restrict access to data center/rooms were servers are located; and
(d) accompany at all times personnel without access authorization (e.g. technicians, cleaning personnel).
2.2 Data Media Control: AK Digital LLC shall take reasonable technical and organisational measures to prevent the unauthorised reading, copying, modification or removal of data media.
AK Digital LLC shall in particular:
(a) store data media in secured areas;
(b) establish rules for the safe and permanent destruction of data media that are no longer required; and
(c) only grant AK Digital LLC’ personnel and its sub-contractors' directors, officers, employees, agents, permitted subcontractors and assignees minimal permissions to access data media as needed to fulfil their function (“need to know”)
2.3 Storage Control: AK Digital LLC shall take reasonable technical and organisational to prevent the unauthorised input of Client Data and the unauthorised inspection, modification or deletion of Client Data. Persons entitled to use a data processing system shall be able to input and gain access only to the data to which they have a right of input or access, and Client Data must not be read, copied, modified or removed without authorization in the course of processing.
AK Digital LLC shall in particular:
(a) restrict access to files and programs based on a "need-to-know” basis;
(b) store data carriers in secured areas;
(c) establish rules for the safe and permanent destruction of data that are no longer required; and
(d) only grant AK Digital LLC’ personnel and its sub-contractors' directors, officers, employees, agents, permitted subcontractors and assignees minimal permissions to access data as needed to fulfil their function (“need to know”).
2.4 User Control: AK Digital LLC shall take reasonable technical and organisational measures to prevent the use of automated processing systems by unauthorised persons using data communication equipment.
(a) take reasonable measures to protect systems processing Client Data against unauthorised access by means of data communication equipment, including the deployment of firewalls and intrusion detection systems;
(b) log remote access to systems processing Client Data;
(c) ensure that the remote access control is supported by an authentication system;
(d) only grant AK Digital LLC’ personnel, or its sub-contractors' directors, officers, employees, agents, and assignees remote access to applications which process Client Data to the extent they require to fulfil their function (“need to know”); and
(e) have a proper procedure to deactivate remote access accounts, when the respective user leaves the company or function.
2.5 Data Access Control: AK Digital LLC shall take reasonable technical and organisational measures to ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation. Data processing systems must be prevented from being used without authorization.
AK Digital LLC shall in particular:
(a) ensure that all computers processing Client Data (incl. remote processing) are password protected
i) after boot sequences; and
ii) when left even for a short period to prevent someone else from unauthorised access to processed Client Data;
(b) have dedicated user IDs for authentication against the system’s user management for every individual;
(c) assign individual user passwords for authentication;
(d) ensure that the access control is supported by an authentication system, including access and use of systems by way of remote access;
(e) only grant AK Digital LLC’ personnel, or its sub-contractors' directors, officers, employees, agents, and assignees access to applications which process Client Data to the extent they require to fulfil their function (“need to know”);
(f) implement a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords;
(g) ensure that each computer has a password protected screensaver, that is activated at least after ten (10) to fifteen (15) minutes of inactivity;
(h) ensure that passwords are always stored in encrypted form
(i) have a proper procedure to deactivate user accounts, when the respective user leaves the company or function; and
(j) have a proper process to adjust administrator permissions, when an administrator leaves the company or function.
2.6 Communication Control: AK Digital LLC shall maintain adequate records and documentation to verify and establish the bodies to which processed Client Data has been or may be transmitted or made available by AK Digital LLC or any of its sub-contractors using data communication equipment.
2.7 Input Control: AK Digital LLC shall take reasonable technical and organisational measures to ensure that it is subsequently possible to verify and establish which personal data has been input into automated processing systems and when and by whom the personal data was input. It shall be possible retrospectively to examine and establish whether and by whom Client Data has been entered into data processing systems, modified or removed (to the extent this is under AK Digital LLC’ control).
AK Digital LLC shall in particular, in its and its sub-contractor's organisation:
(a) log administrators and user activities; and
(b) permit only authorized personnel to enter and modify any Client Data within the scope of their function (“need to know”).
2.8 Transport Control: AK Digital LLC shall take reasonable technical and organisational measures to prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media. Except as necessary for the provision of the Platform Services in accordance with the Contract, Client Data must not be read, copied, modified or removed without authorization during transfer or storage and it shall be possible to establish to whom Client Data was transferred to and AK Digital LLC shall take reasonable measures to protect the confidentiality and integrity of Client Data during transfer and transport.
AK Digital LLC shall in particular:
(a) encrypt data during any transmission
(b) transport data carriers in sealed containers; and
(c) have shipping and delivery notes.
2.9 Recovery: AK Digital LLC; shall take reasonable technical and organisational measures to ensure that installed systems may, in the case of interruption, be restored.
AK Digital LLC shall in particular:
(a) create back-up copies stored in specially protected environments (to the extent this is part of the Platform Services);
(b) perform regular restore tests from those backups;
(c) create contingency plans or business recovery strategies for its own operations;
(d) not remove Client Data from AK Digital LLC' business computers or premises for any reason (unless the Client has specifically authorized such removal for business purposes);
(e) not use private equipment to perform the Platform Services; and
(f) run an up to date antivirus solution on computer systems.
2.10 Reliability: AK Digital LLC; shall take reasonable technical and organisational measures to ensure that (a) the functions of the systems perform, and (b) the appearance of faults in the functions is reported. Reference is made to the specification of the Platform Services, including service levels and quality requirements, and the reporting obligations of AK Digital LLC as specified in the Contract.
2.11 Integrity: AK Digital LLC shall take reasonable technical and organisational measures to ensure that stored Client Data cannot be corrupted by means of a malfunctioning of the system. Reference is made to the specification of the Platform Service, including service levels and quality requirements, and the reporting obligations of AK Digital LLC as specified in the Contract.
2.12 Contractual Control: Client Data being processed on commission shall be processed solely in accordance with the Contract and related instructions by Client. AK Digital LLC will carry out the Platform Services and, in particular, the data processing services for Client Data only in accordance with given instructions, and will instruct its personnel and sub-contractors involved in the processing of Client Data accordingly.
AK Digital LLC shall in particular:
(a) establish controls of the contractual performance;
(b) work according to written instructions or contracts; and
(c) process the personal data received from different clients to ensure that in each step of the processing the data controller of the personal data can be identified (physical or logical separation of data).
2.13 Availability Control: Client Data shall be protected against disclosure, accidental or unauthorized destruction or loss.
AK Digital LLC shall in particular:
(a) create back-up copies stored in specially protected environments (to the extent this is part of the Platform Services);
(b) perform regular restore tests from those backups;
(c) create contingency plans or business recovery strategies for its own operations;
(d) not use Client Data for any purpose other than what has been contracted to perform;
(e) not remove Client Data from AK Digital LLC;' business computers or premises for any reason (unless the Client has specifically authorized such removal for business purposes);
(f) not use private equipment to perform the Platform Services;
(g) ensure that whenever a user leaves his desk unattended during the day, and prior to leaving the office at the end of the day, the respective user must ensure that documents containing Client Data are placed in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space (“clean desk”);
(h) implement a process for disposal of documents or data carriers containing personal data;
(i) have firewalls on network level to prevent unauthorized access to systems and services on network level; and
(j) run an up to date antivirus solution on computer systems.
2.14 Separation: AK Digital LLC shall take such technical and organisational measures as set forth in the Contract to ensure that Client Data collected for different purposes is can be processed separately. AK Digital LLC shall be entitled to rely on the instructions of and information provided by the Client in this respect, in particular in relation to the types of Client Data and the purpose of collection. To the extent that any measures required to separate data are not within AK Digital LLC' obligations under the Contract, AK Digital LLC' obligation to implement such measures remain subject to an agreement on (i) the specification of such measures and (ii) a reasonable remuneration of AK Digital LLC.