LeadHub - Specifications

Data Processing Agreement according to Art. 28 GDPR

This Data Processing Agreement for the Processing of Personal Data ("DPA") shall apply to the processing activities of personal data by Mango Netsolutions GmbH, Gerichtsstraße 2, 65185 Wiesbaden, Germany (also referred to as "we" or "Contractor") provided to Customers (hereinafter referred to as "Customer" or "You") in performance of the main agreement.

Preamble

The Contractor shall provide services for online lead generation, lead validation and lead management for the Customer with the "Leadhub Platform", which shall come about contractually via the booking in direct sales or via an online booking including License Agreement and GTC, service description, etc. (hereinafter: "Main Contract"). Part of the execution of the Main Contract is the processing of personal data within the meaning of the General Data Processing Regulation ("GDPR"). In order to meet the requirements of the GDPR for such constellations, the parties conclude the following DPA (also "Agreement"), which comes into effect upon signing or entry into force of the Main Agreement

§ 1 Object of Assignment

(1) Within the scope of the cooperation of the parties in accordance with the Main Agreement, the Contractor shall have access to personal data of the Customer (hereinafter "Customer Data"). The Contractor shall process this Customer Data on behalf of and in accordance with the instructions of the Customer within the meaning of Art. 4 No. 8 and Art. 28 GDPR.

(2) The Customer Data shall be processed by the Contractor in the manner described in Annexes and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown. The duration of the processing shall correspond to the term of the Main Contract.

(3) Whether the Contractor's services are suitable for the processing of special categories of personal data pursuant to Art. 9 (1) GDPR shall require a risk assessment by the Customer.

(4) The Contractor is prohibited from processing Customer Data in a manner deviating from the processing specified in the Annexes.

(5) The processing of the Customer Data shall generally take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Should there be a relocation of the commissioned processing to a third country, this shall require the prior consent of the Customer and shall only take place if the special requirements of Art. 44 to 49 DSGVO are met. The Customer already consents to the processing of personal data by the subcontractors named in the Annexes upon conclusion of this DPA.

(6) The provisions of this DPA shall apply to all activities related to the Main Contract. The same shall apply to all activities in which the Contractor and its employees or persons commissioned by the Contractor come into contact with Customer Data.

§ 2 Authority to issue directions

(1) The Contractor shall process the Customer Data within the scope of the commission and on behalf of and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR (commissioned processing). The Customer has the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions"). If the Contractor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Customer of these legal requirements prior to the processing.

(2) Instructions shall generally be issued by the Customer in writing or in electronic form (e-mail is sufficient); instructions issued verbally shall be confirmed by the Contractor in electronic form.

(3) If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.

§ 3 Protective Measures of Contractor

(1) The Contractor shall be obligated to observe the statutory provisions on data protection and not to disclose information obtained from the Customers’s domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as "Employees") to maintain confidentiality (obligation to maintain confidentiality, Art. 28 Para. 3 lit. b GDPR). Upon request of the Customer, the Contractor shall provide the Customer with evidence of the obligation of the Employees in writing or in electronic form.

(3) The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. It undertakes to take all appropriate technical and organizational measures for the adequate protection of the Customer Data pursuant to Art. 32 GDPR, in particular the measures listed in Annex 2 to this Agreement, and to maintain them for the duration of the processing of the Customer Data.

(4) The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut.

(5) At the request of the Customer, the Contractor shall provide the Customer with evidence of compliance with the technical and organizational measures.

§ 4 Information and support obligations of the Contractor

(1) In the event of disruptions, suspicion of data protection violations or violations of contractual obligations of the Contractor, suspicion of security-relevant incidents or other irregularities in the processing of the Customer Data by the Contractor, persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Customer in writing or electronically without undue delay, but no later than within 48 hours. The same shall apply to audits of the Contractor by the data protection supervisory authority. These notifications should in each case contain at least the information specified in Art. 33 (3) GDPR.

(2) In the aforementioned case, the Contractor shall support the Customer in the fulfillment of its educational, remedial and informational measures in this regard to the extent reasonable.

(3) The Contractor undertakes to provide the Customer, at the latter's request and within a reasonable period of time, with all information and evidence required to carry out an inspection.

§ 5 Other obligations of the Contractor

(1) If the requirements of Art. 30 GDPR apply to the Contractor, the Contractor shall be obliged to keep a register of all categories of processing activities carried out on behalf of the Customer pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Customer upon request.

(2)The Contractor shall be obliged to support the Customer in the preparation of a data protection impact assessment pursuant to Art. 35 GDPR and any prior consultation with the supervisory authority pursuant to Art. 36 GDPR.

(3) The Contractor confirms that - insofar as there is a legal obligation to do so - it has appointed a data protection officer.

(4) Should the Customer Data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay, unless it is prohibited from doing so by court or administrative order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Customer as the "responsible party" within the meaning of the GDPR.

§ 6 Subcontractor relationships

(1) The Contractor may have the Processing of Personal Data performed in whole or in part by additional Processors (hereinafter "Subcontractors"). The Contractor shall inform the Customer in text form in good time in advance about the commissioning of subcontractors or changes in the subcontracting. The Customer may object to the subcontracting in text form within four weeks of becoming aware of it if there are objective reasons for doing so.

(2) A subcontractor relationship within the meaning of these provisions shall not exist if the Contractor commissions third parties with services which are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, security services, telecommunication services without any specific reference to services provided by the Contractor to the Customer as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The obligation of the Contractor to ensure compliance with data protection and data security also in these cases shall remain unaffected.

(3) The Contractor shall agree with the subcontractor on the content of the provisions made in this DPA. In particular, the technical & organizational measures to be agreed with the subcontractor must provide an equivalent level of protection.

(4) The Contractor has established subcontractor relationships with the companies listed in Annex 1, to which the Customer consents upon conclusion of this DPA.

(5) The Contractor has concluded DPA with the subcontractors in accordance with the requirements of Section 6 (3). The Customer shall approve the aforementioned subcontractors upon this DPA becoming effective.

(6) Part of the DPA with the subcontractors is in particular that the subcontractors ensure that they have taken appropriate and suitable technical and organizational measures in accordance with Art. 32 GDPR for the processing of personal data carried out by them on behalf.

§ 7 Rights of Control

(1) The Customer shall be entitled to regularly assure itself of compliance with the provisions of this DPA. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or have the Contractor's technical and organizational measures inspected personally or by a competent third party during normal business hours, provided the third party is not in a competitive relationship with the Contractor.

(2) The Customer shall carry out inspections only to the extent necessary and take reasonable account of the Contractor's operating procedures. The parties shall agree on the time and type of inspection in good time.

(3) The Customer shall document the results of the inspection and notify the Contractor thereof. In the event of errors or irregularities discovered by the Customer, in particular during the inspection of order results, the Customer shall inform the Contractor without delay. If facts are ascertained during the inspection, the future avoidance of which requires changes to the ordered procedure, the Customer shall inform the Contractor of the necessary procedural changes without delay.

§ 8 Data Subject Rights

(1) The Contractor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling the Customer’s obligations pursuant to Articles 12 to 22 and Articles 32 to 36 of the GDPR. The Contractor shall provide the Customer with the requested information on Customer Data without undue delay, but within 14 working days at the latest, unless the Customer has the relevant information itself.

(2) If the data subject asserts its rights pursuant to Articles 16 to 18 of the GDPR, the Contractor shall be obligated to correct, delete or restrict the Customer Data without undue delay, at the latest within a period of 7 working days, upon instruction of the Customer. The Contractor shall provide the Customer with written evidence of the deletion, correction or restriction of the data upon request.

(3) If a data subject asserts rights directly against the Contractor, such as the right to information, correction or deletion of his/her data, the Contractor shall forward this request to the Customer and await the Customer's instructions. The Contractor shall not contact the data subject without corresponding individual instructions.

§ 9 Term and termination

The term of this DPA corresponds to the term of the Main Contract. It thus ends automatically upon termination of the Main Contract. If the Main Contract can be terminated with due notice, the provisions on due notice of termination shall apply accordingly to this contract. If the Contractor no longer processes any Customer Data before the Main Contract expires, this contract shall also end automatically.

§ 10 Deletion and Return of Data

(1) The Contractor shall return to the Customer after termination of the Main Contract or at any time upon the Customer’s request all documents, data and data carriers provided to the Contractor or, at the Customer's request, delete them completely and irrevocably, unless there is a statutory retention period. This shall also apply to copies of the Customer Data at the Contractor's premises, such as data backups, but not to documentation that serves as proof of the proper processing of the Customer Data in accordance with the order. Such documentation shall be kept by the Contractor for a period of 6 months and shall be returned to the Customer upon request.

(2) The Contractor shall confirm the deletion to the Customer electronically. The Customer shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.

(3) The Contractor shall be obligated to treat as confidential any data of which it becomes aware in connection with the Main Contract, even beyond the end of the Main Contract.

§ 11 Liability

(1) The liability of the parties shall be governed by Art. 82 GDPR. Any liability of the Contractor towards the Customer due to breach of obligations under this Agreement or the Main Agreement shall remain unaffected.

(2) The parties shall each release themselves from liability if a party proves that it is not responsible in any respect for the circumstance as a result of which the damage occurred to a Data Subject. This shall apply mutatis mutandis in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the respective other party bears a share of the responsibility for the violation sanctioned by the fine.

§ 12 Confidentiality & Data Secrecy

(1) The Contractor undertakes to observe the same rules for the protection of secrets as are incumbent on the Customer.

(2) There shall be a duty of confidentiality for the Contractor's employees and third parties commissioned by the Contractor. The Contractor shall impose a written confidentiality obligation on the persons employed in the processing of Customer Data pursuant to Art. 28 (3) lit. b GDPR. This is not necessary if the persons employed are already subject to an appropriate statutory duty of confidentiality. The Contractor shall document the obligation set forth in this clause in writing and submit it to the Customer upon the Customer's request.

(3) The Contractor confirms that it is aware of the relevant data protection regulations. The Contractor warrants that it will familiarize the employees engaged in the performance of the work with the data protection provisions applicable to them and that it will oblige them to comply with the applicable data protection provisions. He shall monitor compliance with the data protection regulations.

(4) The confidentiality obligations regulated in this clause shall continue to apply after termination of the contractual relationship.

(5) Furthermore, in addition to the applicable statutory provisions (in particular § 88 German Telecommunications Act, § 203 German Criminal Act, §§ 4, 23 German Trade Secrecy Act and, if applicable, special professional confidentiality obligations), the Contractor shall also be obligated to keep secret and not disclose to third parties all information and data of which it becomes aware within the scope of the contractually agreed services (confidential information). Confidential information is in particular business and trade secrets, contract conclusions, technical or commercial information of any kind or other information which is designated as confidential or which by its nature is to be regarded as confidential. This also applies in particular to:

Names, addresses as well as the personal, legal and economic circumstances of all customers of the Customer and the personal, legal and economic circumstances of the Customer and all other persons working for the Customer.
Information shall not be considered confidential if it was already publicly known at the time the Contractor became aware of the information. Likewise, information that has become publicly known or has been made publicly known at a later date with the consent of the Customer shall not be considered confidential.

(6) The Contractor undertakes to oblige all employees who gain knowledge of the aforementioned confidential information of the Customer in the course of their work for the Customer to do the same as himself.

(7) If the Contractor commissions third parties, it shall ensure that the requirements of paragraphs 1 to 6 are implemented accordingly.

§ 13 Final Provisions

(1) The parties agree that the defense of the right of retention by the Contractor within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the data to be processed and the associated data carriers.

(2) Amendments and supplements to this agreement must be made in electronic form.

(3) In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Contract. Should individual provisions of this agreement prove to be invalid or unenforceable in whole or in part, or become invalid or unenforceable as a result of changes in legislation after conclusion of the agreement, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision which comes as close as possible to the meaning and purpose of the invalid provision.

(4) This DPA is subject to German law. The exclusive place of jurisdiction shall be the Contractor's registered office.

Annexes

Annex 1: Contract Specifications
Annex 2: Technical and organizational measures of the contractor (Art. 32 GDPR)

Annex 1 – Contract Specifications

Object of Assignment

(1) Main Contract	Contract on the use of the Services of the Leadhub platform (= License Agreement)
(2) Object	Services for online lead generation, lead validation and lead management
(3) Purpose of Data Processing	In order to fulfill the obligations of the Contractor arising from the Main Contract, personal data from the Customer's sphere of control shall be processed by the Contractor to the full extent within the meaning of Art. 4 No. 2 GDPR, in particular collected, stored, changed, read out, queried, used, disclosed, compared, linked and deleted as necessary in each case. The purpose of the processing thus depends on the respective order described in the Main Contract.
(4) Type of Data	The categories of personal data concerned by the processing depend on the use of the Contractor's services by the Customer. Categories of data that may be considered as the subject of processing are possible Master data (e.g. names, addresses, dates of birth), Contact data (e.g. e-mail addresses, telephone numbers), Content data (e.g. photographs, videos, content of documents), Contract data (e.g. subject of contract, terms, customers), Payment data (e.g. bank details, payment service providers), Usage data (e.g. course of web services, access times), connection data (e.g. device ID, IP addresses, URL referrers), and Location data (e.g. GPS data, IP geolocation).
(5) Data Subjects	The categories of data subjects concerned by the processing depend on the use of the Contractor's services by the Customer. The categories of data subjects that may be considered are: Employees Trainees and interns freelancers customers / interested parties & their employees Suppliers and service providers business partners external consultants website visitors

Subcontractor

Nr.	Name / Land	Object of Service	Processed Data
1	Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Deutschland	Software – Hosting & SaaS Leistungen	See Above „Type of Data“
2	Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210	Software – Hosting & SaaS Leistungen	See Above „Type of Data“
3	Zapier, Inc. 548 Market St. #62411 San Francisco, CA 94104-5401	API Connection Service - Webhook	See Above „Type of Data“
4	Trengo B.V. Burgemeester Reigerstraat 89 3581 KP Utrecht	Chatbot-Integration for Support and Helpdesk	See Above „Type of Data“

Annex 2 - Technical and Organizational Measures

Pursuant to Article 32 of the GDPR, data controllers are obliged to take technical and organizational measures to ensure the security of the processing of personal data. Measures must be selected in such a way that, taken together, they ensure an appropriate level of protection. Against this background, this overview explains which specific measures have been taken by the Contractor with regard to the processing of personal data in the specific case.

Instructions on technical and organizational measures
1. Organization of Information Security Policies, processes and responsibilities shall be defined to implement and control information security.
Measures: ☒ Processes for managing data media and disposing of data media. ☒ Definition of roles and responsibilities for operation of applications and system, data protection, and information security. ☒ Obligation of employees to maintain confidentiality and data secrecy. ☒ Regular implementation of training and awareness measures.
2. Privacy by Design Privacy by design includes the idea that systems should be designed and constructed in such a way that the amount of personal data processed is minimized. Essential elements of data economy are the separation of personal identifiers and content data, the use of pseudonyms, and anonymization. In addition, the deletion of personal data must be implemented in accordance with a configurable retention period.
Measures: ☒ No more personal data is collected than is necessary for the respective purpose. ☒ The processing operations and systems are designed in such a way that they enable and ensure deletion of the personal data processed in compliance with the GDPR.
3. Privacy by Default Privacy by Default refers to the privacy-friendly default settings / standard settings. To what extent have these been made by you? Example: When visiting a website, the visitor can expect that all programs that collect personal data are initially deactivated.
Measures: ☒ Simple exercise of the right of withdrawal of the data subject by technical measures. ☒ Tracking functions that monitor the data subject are disabled by default. ☒ All default settings for selection options meet the requirements of the GDPR with regard to privacy-friendly default settings (e.g., no default settings for opt-ins).
4. Access Control Measures to ensure that those authorized to use the data processing procedures can only access the personal data or information and data requiring protection that are subject to their access authorization (description of security mechanisms inherent in the system, encryption procedures in accordance with the state of the art. In the case of online access, it must be made clear which side is responsible for issuing and managing access security codes). The Contractor shall ensure that the users authorized to use IT infrastructure can only access content for which they are authorized and that personal data cannot be copied, modified or deleted without authorization during processing and after storage.
Measures: ☒ Authorization concepts documented. ☒ Access to data is restricted and only possible for authorized persons. The user account is blocked in the event of unsuccessful attempts or inactivity. ☒ Locking of the terminal device when leaving the workplace or inactivity. ☒ Number of administrators reduced to the "bare minimum". ☒ Regular checking of authorizations.
5. Cryptography and / or Pseudonymization Use of encryption procedures to ensure the proper and effective protection of the confidentiality, authenticity or integrity of personal data or information requiring protection. Measures that are likely to make it difficult to identify the data subject.
Measures: ☒ Organizational instruction for the encryption of data. ☒ Encryption of data carriers (e.g. mobile hard disks, USB sticks, etc.). ☒ Encryption of end devices (PC, laptop, smartphones). ☒ Encrypted storage of personal data. ☒ Encryption of network access points and connections. ☒ Use of procedures to anonymize data.
6. Building Protection Preventing unauthorized physical access to, damage to and impairment of the organization's information and information processing equipment. The Contractor shall take measures to prevent unauthorized persons from gaining access (to be understood spatially) to data processing equipment with which personal data is processed.
Measures: ☐ Zone concept and definition of security areas. ☐ Building security by means of fences. ☒ Security locks and key management / logging of key issuance. ☒ Use of locking and access systems (chip card / transponder locking system, code security, etc.). ☐ Alarm system. ☒ Video surveillance. ☐ Light barriers / motion detectors. ☐ Use of security guards. ☐ Employee / visitor badges. ☒ Regulation for dealing with visitors. ☒ Registration for visitors (reception). ☒ Control of visitors (gatekeeper/reception). ☐ Logging of visitors (visitor book).
Other measures implemented / explanations: Further measures implemented by our service providers. If you are interested in the specific technical and organizational measures of the service providers, please contact us.
7. Protection of operating resources / information assets Prevention of loss, damage, theft or impairment of assets and disruption of the organization's operations.
Measures: ☒ Filing of files and documents in locked offices, filing cabinets. ☒ Placement of server and network components in secured rooms, cabinets, etc.
8. Operating procedures and responsibilities
Ensure proper and secure operation of systems and procedures for processing information.
Measures: ☒ Clear assignment of responsibilities for system and application support. ☒ Separation of the processing of data from the individual Customers. ☒ Separation of development, test, and production systems.
9. Data backups Measures to ensure that personal data or information and data requiring protection are protected against accidental destruction or loss.
Measures: ☒ Data backup concept with regular backups. ☒ Outsourcing of backups to other buildings. ☒ Regular testing of data backup and recovery of data, applications, and systems.
10. Malware protection and patch management Preventing exploitation of technical vulnerabilities by using up-to-date antivirus software and implementing patch management.
Measures: ☒ Regular monitoring of the status of security updates and system vulnerabilities. ☒ Use of anti-malware software. ☒ Regularly apply security patches and updates.
11. Logging and Monitoring Measures to ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered into, modified or removed from IT systems. (All system activities are logged; the logs are kept by the contractor for at least 3 years).
Measures: ☒ Logging of accesses.
12. Network Security Management Adequate protection for the network must be implemented so that the information and infrastructure components are protected.
Measures: ☒ Use of network management software. ☒ Use of firewall systems. ☒ User authentication and encryption of external access.
13. Information transmission Measures to ensure that personal data or information requiring protection and data cannot be read, copied, modified or removed by unauthorized persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to check and determine to which bodies a transmission of personal data or information requiring protection and data is intended by data transmission facilities. (Description of the facilities and transmission protocols used, e.g. identification and authentication, encryption in accordance with the state of the art, automatic call-back, etc.).
Measures: ☒ Regulations for the exchange of sensitive information and restriction of the group of persons authorized to transmit it. ☒ Secure data transmission between client and server. ☒ Appropriate protection of e-mails containing sensitive information/data.
14. Mains disconnection Groups of information services, customers, users and information systems should be kept separate from each other in networks.
Measures: ☒ Logical client separation. ☒ Data separation by segmenting networks of different customers.
15. Supplier Relations Measures concerning information security to reduce risks related to suppliers' access to the company's assets should be agreed with sub-suppliers / subcontractors and documented.
Measures: ☒ Selection of the contractor under due diligence aspects (in particular with regard to data security). ☒ Effective control rights vis-à-vis the contractor agreed upon. ☒ Prior review and documentation of the security measures taken by the contractor. ☒ Obligation of the contractor's employees to maintain data secrecy. ☒ Ensuring the destruction of data after completion of the order.
16. Information security incident management Consistent and effective measures for managing information security incidents (theft, system failure, etc.) shall be implemented.
Measures: ☒ Documented procedure for handling security incidents. ☒ Immediate information of the Customer in case of data protection incidents.
17. Information security aspects of business continuity management / emergency management. Maintaining system availability in difficult situations, such as crisis or damage events. Emergency management must ensure this. The requirements regarding information security should be defined during business continuity and disaster recovery planning.
Measures: ☒ Use of redundant systems at physically separate locations (e.g., emergency data center). ☒ Early information of the Customer in case of emergencies.
18. Compliance with legal and contractual requirements Implement measures to prevent violations of legal, official or contractual obligations and any safety requirements.
Measures: ☒ Ensuring compliance with legal obligations within the scope of the cooperation. ☒ Return of all data, resources and information assets to the Customer at the end of the contract. ☒ Confidentiality obligations with employees as well as subcontractors and service providers.
19. Data protection requirements and data protection management Privacy as well as protection of personal data should be ensured in accordance with the requirements of relevant legal regulations, other regulations as well as contractual provisions.
Measures: ☒ Directory of processing activities. ☒ Conduct data protection training. ☒ Establishment of a data protection management system. ☒ Data protection guidelines implemented.
20. Information Security Audits Regular checks must be made to ensure that information processing is carried out in accordance with the defined security measures. For this purpose, the Contractor shall perform regular audits. The Contractor shall grant the Customer the right to conduct regular audits / reviews at its premises.
Measures: ☒ Conducting penetration tests.