Data Processing Agreement

between

the participant of the Saiga App
as the controller (hereinafter referred to as „Principal“)

and

Saiga GmbH,
Kyffhäuserstraße 10, 10781 Berlin
as data processor (hereinafter referred to as „Contractor“)

Preamble

The Principal has commissioned the Contractor with the services referred to in section 1. Part of the implementation of the agreement may involve the processing of personal data. In particular, Art. 28 GDPR imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties conclude the following agreement, the implementation of which shall not be remunerated separately unless this is expressly agreed.

The terms and definitions of the General Data Protection Regulation (hereinafter "GDPR"), in particular Art. 4 GDPR, shall apply to this agreement.

1 Object of the Agreement

1.1 The Contractor shall support the Principal in handling private and business matters ("Concierge Service") on the basis of the user agreement (hereinafter referred to as "Main Agreement"). In this context, the Contractor may obtain access to the personal data specified in Annex 1 and shall process such data on behalf of and in accordance with the instructions of the Principal.

1.2 The Parties conclude this agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the Main Agreement.

1.3 Details on the type, scope and purpose of the data processing by the Contractor are set out in Annex 1, unless they already result from the Main Agreement (and, if applicable, the associated service description).

1.4 The provisions of this agreement shall apply to all activities related to the Main Agreement in the context of which the Contractor and its employees or persons authorised by the Contractor have access to personal data originating from the Principal or collected on behalf of the Principal.

2 Term

The term of this agreement shall be based on the term of the Main Agreement, provided that no obligations or rights of termination beyond this result from the following provisions.

3 Place of Processing and Establishment of the Contractor

The processing of the contractual personal data by the Contractor shall generally take place in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any other processing or use outside these territories requires the prior consent of the Principal and may only take place if the special requirements for data exports to third countries pursuant to Art. 44 et seq. GDPR are met, for example through the use of the EU standard contractual clauses.

4 Instructions by the Principal

4.1 The Contractor may only process data within the framework of the Main Agreement and in accordance with the Principal's instructions; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. If the Contractor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Principal of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest (Art. 28 para. 3 sentence 2 lit. a GDPR).

4.2 The Principal's instructions shall initially be determined by this agreement and may thereafter be amended, supplemented or replaced by the Principal in writing or in text form by individual instructions (individual instructions). Verbal instructions shall be confirmed immediately in a documented electronic format. The Principal shall be entitled to issue corresponding instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data.

4.3 All instructions issued shall be documented by both the Principal and the Contractor. Instructions that go beyond the service agreed in the Main Agreement shall be treated as a request for a change in service. If the Principal issues individual instructions regarding the treatment of personal data which go beyond the scope of services agreed in the Main Agreement, the costs incurred as a result shall be borne by the Principal.

4.4 If the Contractor is of the opinion that an instruction of the Principal violates data protection provisions, it shall notify the Principal thereof without delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Principal. The Contractor may refuse to carry out an instruction that is obviously unlawful.

5 Responsibilities and Obligations of the Principal

5.1 Within the scope of this Agreement, the Principal shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor, for the lawfulness of the data processing and for the protection of the rights of the data subjects ("Controller" within the meaning of Art. 4 No. 7 GDPR).

5.2 The Principal shall inform the Contractor immediately and in detail if it identifies errors or irregularities in the results of the order with regard to data protection provisions.

5.3 In the event of a claim against the Contractor by a data subject, the Principal shall support the Contractor in defending any claims pursuant to Art. 82 GDPR to the extent necessary, provided that personal data from this contractual relationship are affected.

5.4 The Principal is obliged to treat all knowledge of the Contractor's business secrets and data security measures obtained within the framework of the contractual relationship as confidential. This obligation shall remain in effect even after termination of this agreement.

6 Contractor’s Obligations

6.1 The Contractor shall be obliged to observe the statutory provisions on data protection applicable to it and not to disclose information obtained from the Client to third parties or provide them with access to it. Documents and data shall be secured against access by unauthorised persons, taking into account the state of the art.

6.2 The Contractor shall cooperate to the necessary extent in the fulfilment of the data subjects’ rights pursuant to Art. 12 to 22 GDPR by the Principal, in the creation of directories of processing activities as well as in any necessary data protection impact assessments of the Principal and shall support the Principal appropriately as far as possible (Art. 28 para. 3 sentence 2 lit. e) and f) GDPR).

7 Technical and Organisational Measures, Confidentiality

7.1 The Contractor shall ensure a level of protection for the specific commissioned processing that is appropriate to the risk to the rights and freedoms of the natural persons affected by the processing. To this end, the protection objectives of Article 32 para. 1 GDPR, such as confidentiality, integrity and availability of the systems and services as well as their resilience in relation to the type, scope, circumstances and purpose of the processing operations shall be taken into account in such a way that the risk is permanently contained by means of appropriate technical and organisational remedies.

7.2 The data protection and security concept described in Annex 2 sets out in detail the selection of technical and organisational measures appropriate to the identified risk, taking into account the protection objectives in accordance with the state of the art and with particular regard to the IT systems and processing procedures used by the Contractor and shall be binding. The measures implemented by the Contractor may be adapted to technical and organisational developments in the course of the contractual relationship, but may not fall below the standards agreed in accordance with Annex 2. The Contractor shall inform the Principal without delay of any significant changes to the security measures. Such changes shall be documented.

7.3 If the measures taken by the Contractor do not meet the requirements of the Principal, the Principal shall notify the Contractor without delay.

7.4 The Contractor undertakes to maintain data secrecy and confidentiality when processing the Principal's personal data. This obligation shall survive the termination of this contractual relationship.

7.5 The Contractor guarantees that it will familiarise the staff involved in the implementation of the work with the data protection provisions applicable to them prior to commencement of their activity and that it will oblige them to maintain confidentiality in an appropriate manner for the duration of their activity as well as after termination of the employment relationship (Art. 28 Art. 3 sentence 2 lit. b and Art. 29 GDPR).

7.6 The Contractor may only provide information on personal data from the contractual relationship to third parties or the data subject after prior instruction or consent by the Principal.

8 Contractor’s Notification Obligations

8.1 The Contractor is aware that the Principal may be subject to a notification obligation pursuant to Art. 33 GDPR, which provides for notification of data protection breaches to the supervisory authority within 72 hours of becoming aware of them. In the event of disruptions, suspected data protection breaches, suspected security-related incidents or other irregularities in the processing of data by the Contractor, by persons employed by it within the scope of the assignment or by third parties, the Contractor shall inform the Principal in writing or text form without delay. The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects.

9 Enquiries and Rights of Data Subjects

The Contractor shall support the Principal within the scope of its possibilities with suitable technical and organisational measures in the fulfilment of the Principal's obligations pursuant to Articles 12 to 22 and 32 to 36 GDPR. If a data subject contacts the Contractor directly with requests for correction, deletion or information, the Contractor shall immediately refer the data subject to the Principal, provided that an assignment to the Principal is possible according to the data subject's information. The Contractor shall not be liable if the request of the data subject is not answered, not answered correctly or not answered in time by the Principal.

10 Principal’s Control Rights

10.1 The Principal shall be entitled, subject to strict confidentiality of the Contractor's trade and business secrets, to inspect the Contractor's compliance with the technical and organisational measures pursuant to Annex 2 to this agreement. For this purpose, it may, for example, obtain information from the Contractor, inspect existing test certificates from experts, certifications or internal audits or personally inspect the Contractor's technical and organisational measures after timely coordination during normal business hours or have them inspected by a competent third party, provided that this third party is not in a competitive relationship with the Contractor. The Principal shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor's operations in the process. The Contractor may claim remuneration for enabling on-site inspections by the Principal.

10.2 The Contractor undertakes to provide the Principal, at the latter's oral or written request and within a reasonable period of time, with all information and evidence required to carry out a control of the Contractor's technical and organisational measures.

10.3 The Principal shall document the inspection result and inform the Contractor thereof. In the event of errors or irregularities which the Principal discovers in particular during the inspection of order results, it shall inform the Contractor without delay. If facts are determined during the inspection, the future avoidance of which requires changes to the instructed procedure, the Principal shall inform the Contractor of the necessary procedural changes without delay.

11 Subcontracting Relationships (Subcontractors)

11.1 Subcontracting relationships within the meaning of this provision shall be those services which directly relate to the provision of the main service. This does not include ancillary services which the Contractor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor shall be obliged to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Principal's data also in the case of outsourced ancillary services and to prove these to the Principal upon request.

11.2 The Principal hereby grants its general consent to the involvement of subcontractors by the Contractor and the establishment of corresponding subcontracting relationships. The subcontracting relationships already existing at the time of conclusion of this agreement are listed in Annex 3.

11.3 The Contractor is obliged to inform the Principal in text form of any intended involvement of further subcontractors or the replacement of the subcontractors listed in Annex 3. The Principal is entitled to object to notified changes within 2 weeks of receipt of the notification of change if there is a legitimate interest. A legitimate interest exists in particular if there are objective doubts about the reliability of the subcontractor and the data protection compliance of the subcontractor's services. The objection must be in text form and must be substantiated. If such an objection is made and a mutually agreeable solution cannot be found between the parties, the Contractor shall be entitled to extraordinary termination of the Main Agreement and this agreement.

11.4 The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this agreement and ensure that the Principal can also exercise its rights under this agreement (in particular its audit and inspection rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Principal with evidence of the conclusion of the aforementioned agreements with its subcontractors.

12 Deletion and Return of Data

12.1 After termination of the Main Agreement, the Contractor shall return to the Principal all documents, data and data carriers provided to it or - at the request of the Principal, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This also applies to any data backups by the Contractor. In the event of the deletion of data, the Contractor shall document this in a protocol. The Principal shall decide on the return or deletion of the data after the end of the agreement no later than two weeks after the end of the agreement.

12.2 Documentation which serves as proof of the orderly and proper data processing or statutory retention periods shall be retained by the Contractor beyond the end of the agreement in accordance with the respective retention periods.

12.3 The Contractor shall be obliged to treat as confidential any data of which it becomes aware in connection with the Main Agreement, even after termination of the Main Agreement. This agreement shall remain valid after termination of the Main Agreement for as long as the Contractor has personal data at its disposal which have been forwarded to it by the Principal or which it has collected on the Principal's behalf.

13 Final Provisions

13.1 In the event of a conflict between the Main Agreement and this agreement, this agreement shall prevail provided that the provisions of this agreement relate to the processing of personal data.

13.2 Amendments and supplements to this agreement must be made in writing. This also applies to the waiver of this formal requirement. The precedence of individual contractual agreements remains unaffected.

13.3 Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the respective remaining provisions.

13.4 If the subscriber is an entrepreneur, the parties agree that Berlin is the place of jurisdiction for all disputes arising from this agreement. However, Saiga remains entitled to take legal action at the subscriber’s place of business.

13.5 The laws of the Federal Republic of Germany shall apply. If the subscriber is a consumer, the mandatory protective provisions of the law of the state in which the consumer has his or her habitual residence shall remain applicable.

13.6 Annexes 1, 2 and 3 form an integral part of this agreement.

Annexes

Annex 1 – Details on Data Processing, Contacts, Data Protection Officer
Annex 2 – Contractor’s Technical and Organisational Measures
Annex 3 – List of Subcontractors


Annex 1: Details on Data Processing

Nature and Purpose of Processing

Data processing in the context of supporting the Principal in private and business matters. For this purpose, the Principal uploads the documents required for the execution of the support action in the app.  

Categories of Data Subjects

If documents are transmitted by the Principal for the purpose of receiving a support service by the Contractor, personal data of the following data subjects, among others, may also be transmitted and collected and processed by the Contractor:


    - Family members, friends, acquaintances
    - Own employees/staff
    - Employees/staff of contractual partners  
    - Staff of authorities

Nature of Personal Data to be processed

If documents are transmitted by the Principal for the purpose of receiving a support service by the Contractor, the following personal data of the above-mentioned data subjects, among others, may also be transmitted and collected and processed by the Contractor:  

    - Personal information such as name, date of birth, address etc.
    - Family information
    - Information on leisure time behaviour (hobbies, interests etc.)
    - Information on health status
    - Account information
    - Other private information (insurances, real estate, motor vehicles etc.)
    - Professional and business information


Annex 2: Technical and Organisational Security Measures pursuant to Art. 32 GDPR

The Contractor shall take the following technical and organisational measures for data security in accordance with Art. 32 GDPR.

1 Data Protection at Employee Level

    - Regular training of employees on data protection
    - Confidentiality obligations

14 Confidentiality (Art. 32 para. 1 lit. b GDPR)

14.1 Access and entrance control

Measures suitable for preventing data processing systems from being used by unauthorised persons:

    - Alarm system
    - Controlled/documented key allocation
    - Manual locking system
    - Non-duplicatable keys
    - Regulations on the locking of entrances / offices
    - Hosted server
    - Server in locked rooms
    - Security locks
    - Secure password allocation
    - Assignment of user rights
    - Automatic screen lock
    - Creation of User Profiles
    - Two-factor authentication
    - Firewall
    - Encryption of data carriers
    - Logging of access to data
    - Securing remote maintenance access
    - Careful selection of cleaning staff

14.2 Separation Control

Measures to ensure separate processing of purpose-related data:


    - Logical separation of clients

    - Sandboxing

15 Integrity, Availability and Resilience (Art. 32 para. 1 lit. b GDPR)

15.1 Transfer Control

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which parties personal data are intended to be transmitted by data transmission devices:

    - Encryption of connections
    - Securing remote maintenance access
    - Locking USB ports / connections
    - Encrypted e-mail correspondence
    - WLAN-encryption
    - Installation of Virtual Private Networks (VPN)
    - Electronic Signature

15.2 Input Control

Measures to ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems:

    - Recording the entering, changing and deleting of data
    - Document management
    - Logfiles

15.3 Availability and Fast Restoration (Art. 32 para. 1 lit. b and c GDPR)
Measures to ensure that personal data is protected against accidental destruction or loss and arrangements to recover the data as quickly as possible:

    - Backup Strategy (Regular backups and checks for successful restoration of availability)
    - uninterruptible power supply (USV)
    - Anti-Virus Protection, Firewall
    - Reporting channels and emergency plans
    - Fire and smoke detection systems
    - Fire extinguishers

16 Procedures for regular Inspection, Assessment and Evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)


    - Data-Protection Management
    - Incident-Response-Management
    - Annual review / update of the measures taken according to the state of the art (by DPO, IT audit, etc.)
    - Order control: No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the Principal, e.g.: clear contract design taking into account all legal requirements according to Art. 28 GDPR, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks

17 Incident Management

Concept for immediate reaction to breaches of the protection of personal data in accordance with legal requirements (checking, documentation, reporting) and corresponding training of employees

Annex 3: Existing Subcontractors

The contractually agreed services or the partial services described below shall be performed by the Contractor using the following subcontractors:

Name of Service Provider Address of Service Provider Type of Service Provided
Mailchimp The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308 USA
Management of our mailing lists