This Data Processing Agreement ("DPA") specifies the data protection obligations and rights of the parties in connection with the processing of personal data processed by Softr Platforms GmbH, Rosenthaler Straße 1310119, Berlin, Germany, represented by the managing director Mariam Hakobyan (hereinafter "Contractor") on behalf of the Customer (hereinafter "Customer") under the Terms and Conditions for the Use of the Softr Platform (hereinafter "Main Agreement") concluded between the parties.
1 Scope of application
When providing the services in accordance with the Main Agreement, the Contractor processes personal data which the Customer has made available for purpose of providing the services and in respect of which the Customer acts as controller in the sense of data protection law ("Customer Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular, the Main Agreement, the provisions of this DPA shall take precedence.
2 Subject-matter and scope of the processing / Customer’s authority to issue instructions
2.1 The Contractor will process the Customer Data exclusively on behalf of the Customer and in accordance with the Customer’s instructions unless the Contractor is legally required to do so under the law of the European Union or a Member State. In such a case, the Contractor shall inform the Customer of these legal requirements prior to processing, unless the law in question prohibits such information on important grounds of public interest.
2.2 The processing of Customer data by the Contractor shall be carried out exclusively in the nature, to the extent, and for the purpose specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.
2.3 The duration of the processing corresponds to the term of the Main Agreement. The Customer shall be entitled to terminate this DPA and the Main Agreement if the Contractor violates obligations arising from this DPA or instructions of the Customer and does not remedy the respective violation immediately upon warning of the Client. In the event of a material breach of obligations arising from this DPA or instruction, the Customer may terminate this DPA and the Main Agreement without notice and without prior warning.
2.4 The Contractor is allowed to process Customer Data or to have Customer Data processed by other processors outside the European Economic Area ("EEA") if the requirements of Articles 44 to 48 GDPR are fulfilled or if an exception under Art. 49 GDPR exists.
2.5 The instructions are set out in the Main Contract. The Customer is entitled to issue instructions on the nature, scope, purposes, and means of processing Customer Data. The Customer will confirm oral instructions in writing or by e-mail.
2.6 If the Customer issues instructions that go beyond the services agreed in the Main Contract and this DPA, the Customer shall bear the costs for the execution of instructions. Before carrying out the instructions, the Contractor shall inform the client of the expected costs and await his confirmation. This shall not apply to instructions to refrain from data processing as a whole or to delete individual or all Customer Data or to hand it over to the Customer.
2.7 If the Contractor is of the opinion that an instruction of the Customer violates this DPA, the GDPR, or other data protection regulations of the Union or the Member States, it shall inform the Customer of this immediately in writing or text form. The Contractor is entitled to suspend the execution of such instruction until the Customer confirms it in writing or text form. If the Customer insists on the execution of instruction despite the concerns expressed by the Contractor, the Customer shall indemnify the Contractor against all damages and costs incurred by the Contractor as a result of the execution of the Customer's instruction. The contractor shall inform the Customer of any damages and costs asserted against him and shall not acknowledge any claims of third parties without the consent of the Customer and shall either conduct the defense in agreement with the Customer or leave it to the Customer, at the Contractor's discretion.
3 Requirements for personnel
3.1 Contractor shall obligate all personnel processing Customer Data to maintain confidentiality unless they are subject to appropriate statutory confidentiality obligations.
3.2 Contractor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and the Customer’s instructions unless they are required to do so under the law of the European Union or the Member States.
4 Security of processing
4.1 Taking into account the state of the art, the costs of implementation, and – as far as known to the Contractor – the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the Contractor shall implement appropriate technical and organisational measures to ensure a level of security for the Customer Data appropriate to the risk.
4.2 Prior to the beginning of the processing of Customer Data, the Contractor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
4.3 Customer shall verify the technical and organisational measures implemented by the Contractor, in particular, whether they are also sufficient with regard to circumstances of data processing not known to the Contractor.
4.4 Since the technical and organisational measures are subject to technical progress, the Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If the Contractor makes significant changes to the measures specified in Annex 2, it will inform the Customer of such changes in advance. If the changes fall below the previously defined security level in such a way that they are no longer adequate, taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of processing the Customer data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the Customer shall be entitled to terminate the Main Agreement and this DPA at the time when such changes come into force.
5 Use of sub-processors
5.1 Contractor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon the conclusion of this DPA.
5.2 Contractor may use further sub-processors to process Customer Data subject to the following conditions: Contractor shall inform the Customer before making use of the further sub-processor. Unless the Customer raises an objection within 14 days after such information, the use of the further sub-processor shall be deemed to have been authorised.
5.3 If the Customer objects to the use of a further processor without good cause, the Contractor shall be entitled, at its discretion, to continue to provide the services without the corresponding processor or to terminate the main contract and these DPA in accordance with the terms of the Main Contract.
5.4 Contractor must obligate each sub-processor by means of a written agreement in the same way as Contractor is obligated to the Customer under this DPA.
5.5 Contractor shall be obliged to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
5.6 If the Contractor employs further processors who process personal data outside member states of the European Union or the EEA and if the conditions of Articles 44 to 48 GDPR are not otherwise fulfilled or an exception under Article 49 GDPR exists, the Contractor shall ensure with respect to these sub-processors that the applicable data protection obligations are met by concluding any such sub-processing agreement using the applicable Module Three (Transfer processor to processor) of the EU Standard Contractual Clauses as of 2021.
6 Rights of data subjects
6.1 Contractor shall take all reasonable technical and organisational measures to assist the Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
6.2 Contractors will in particular within the scope of their possibilities:
a) Inform Customer if a data subject should contact the Contractor directly with a request to exercise his rights in relation to Customer Data;
b) Provide Customer with all information in its possession concerning the processing of Customer Data which the Customer requires in order to respond to the request of a data subject and which is not available to the Customer himself;
c) correct, delete or limit the processing of Customer Data without delay at the Customer’s instruction, insofar as this is technically and reasonably possible for the Contractor;
d) ensure that Customer can and does receive the Customer Data processed within Contractor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to the Customer Data.
7 Other obligations of the Contractor to assist the Customer
7.1 Contractor shall notify Customer immediately after becoming aware of any Customer Data breach, in particular incidents that lead to the destruction, loss, alteration or unauthorised disclosure of or access to Customer Data.
7.2 In the event of any Customer Data breach, the Contractor shall, without delay, take all necessary and reasonable measures to remedy the Customer Data breach and, if necessary, to mitigate its possible adverse effects.
7.3 If the Customer is obliged to provide information to a government authority or a third party regarding the processing of Customer Data or to cooperate with such entities in any other way, the Contractor is obliged to assist the Customer, insofar as this is possible, in providing such information or in fulfilling other obligations to cooperate, in particular, to provide all information and documents regarding technical and organisational measures taken within the meaning of Art. 32 GDPR, regarding the technical procedures for processing Customer Data, the locations where Customer Data is processed and the persons involved in the processing.
7.4 Contractor shall assist Customer with its compliance with its obligations under Art. 32 GDPR, to the extent possible considering the information Contractor, has with respect to Customer’s use of Contractor’s services.
7.5 In the event that the Customer is obliged to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, the Contractor shall, insofar as this is possible, assist the Customer in complying with these obligations at the latter's request. In particular, the Contractor is obliged to document all Customer Data breaches, including all related facts, in a manner that enables the Customer to prove compliance with any relevant statutory reporting obligations.
7.6 Contractor shall support the Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
7.7 Upon request, the Contractor shall provide the Customer with extracts from the records of processing activities in accordance with Art. 30(2) GDPR relating to the processing of Customer Data.
8 Deletion and return of Customer Data
8.1 Upon termination of the Main Agreement, Contractor shall, upon the Customer’s instruction, either completely delete all Customer Data or return it to the Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data.
8.2 However, the Contractor is entitled to keep backup copies of the Customer Data for a period of 30 days, insofar as deletion of the Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from section 2.3.
8.3 Documentation which serves as proof of the orderly and proper processing of Customer Data are to be kept by Contractor in accordance with the statutory retention periods beyond the term of this DPA.
9 Evidence and inspections
9.1 Contractor shall ensure and regularly evaluate that the processing of Customer Data is carried our in accordance with this DPA, including the scope of processing of the Customer Data set out in Annex 1 and the Customer’s instructions.
9.2 Contractor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide the Customer with all necessary evidence of the Contractor's compliance with its obligations under the GDPR and this DPA at the Customer’s request.
9.3 Customer shall be entitled to audit the Contractor prior to the start of the processing of Customer Data and regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular, the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor who is obliged to maintain secrecy; this shall include inspections. Contractor shall allow and shall contribute to such inspections by taking all reasonable and appropriate measures; inter alia by granting the necessary access and access rights and by providing all necessary information. The inspections shall, as far as possible, not obstruct or unduly burden the Contractor in his normal business operations. The reasonable costs actually incurred for such audits and inspections shall be borne by the Customer.
9.4 In accordance with the provisions of the GDPR, the Customer and the Contractor are subject to public controls by the competent supervisory authority. At the request of the Customer, the Contractor shall provide the supervisory authority with the desired information and allow the supervisory authority or the persons appointed by it to carry out audits, including inspections of the Contractor. In this context, the Contractor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
The limitations of liability agreed in the Main Contract apply accordingly.
11.1 Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause 11.1.
11.2 Agreements on the choice of law and place of the jurisdiction from the Main Agreement shall apply accordingly to this DPA.