Home / Buynomics: Terms and Conditions
Valid from September 2025
Buynomics GmbH, Rudolfplatz 3, 50674, Cologne, Germany (hereinafter referred to as “Buynomics”) provides access to its Software-as-a-Service solutions (“SaaS-Solutions”) towards business customers (“Client”). If a Client subscribes to a SaaS-Solution (e.g. by means of a SaaS License Order Form), an agreement is concluded between Client and Buynomics in accordance with these terms and conditions (“SaaS-Agreement”).
Section 1 - Scope of application, Subject of the SaaS-Agreement
(1) Subject of this SaaS-Agreement are the provisioning and the maintaining of Buynomics’ SaaS-Solutions – within the frame of the availability according to Section 4. The main features of the Buynomics pricing platform, a SaaS-Solution (the Platform) are:
(2) Further services, like training or customizing are not subject to this SaaS-Agreement and can be agreed on separately.
(3) The SaaS-Solutions of Buynomics are only offered towards entrepreneurs within the meaning of Sec. 13 German Civil Code (i.e., entrepreneur means a natural or legal person or a partnership with legal personality who or which, when entering into a legal transaction, acts in exercise of his or its trade, business or profession.)
(4) These Terms and Conditions are exclusively applicable on the usage of the SaaS-Solution. Any deviation must be explicitly agreed on in the SaaS-Agreement. Client’s Terms and Conditions are not applicable. This also applies in the event that Buynomics has not expressly rejected Client’s Terms and Conditions.
Section 2 – Further development; Support
(1) Buynomics extends and improves the SaaS-Solutions continuously.
(2) Buynomics may change the scope of the SaaS-Solutions’ functions at any time to an extent that is reasonable for Client. A change is in particular reasonable if it is required due to an important reason – e.g., as of disturbances in provision of services by sub-contractors or for security reasons – and the agreed characteristics, as well as the major obligations of Buynomics, substantially remain unaffected Buynomics will inform Client about the changes at least four (4) weeks in advance via e-mail, unless such changes relate to voluntary services or insignificant components of the SaaS-Solutions.
(3) In the event Buynomics changes the SaaS-Solutions differently from the descriptions in Sections 2 (1) and (2), Buynomics will inform Client accordingly in text form in advance and grant the Client a time period of at least two months to object to such changes. If Client objects to the changes, Buynomics may at its option choose to comply with this objection or terminate the SaaS-Agreement effective on the date on which the changes come into effect. The foregoing provisions of this Section apply only to the extent that Buynomics’ main performance obligations remain unaffected by the changes.
(4) The SaaS-Solutions are free from errors, if they fulfill the functions contained in the product description of Buynomics (see Section 1.1) as amended from time to time or separately agreed upon. Buynomics does not warrant that the functions of the SaaS-Solutions meet the requirements for a specific use case of Client, unless otherwise agreed contractually.
(5) Buynomics provides a ticket system. All error messages have to be submitted via the ticket system by Client built within the tool (Button – give feedback). Client is to provide reasonable assistance to Buynomics in analyzing errors, for example, through screenshot or system descriptions; error messages are to be sent to Buynomics as promptly as possible. If a SaaS-Solution is defective, Buynomics shall remedy reported errors.
Section 3 – Rights of use
(1) Client is granted a simple, non-exclusive, non-transferable, non-sublicensable right to use limited in time to the duration of the SaaS-Agreement. Buynomics shall be responsible for operation and maintenance of the SaaS-Solutions. Client may use the SaaS-Solutions for its own benefit and the benefit of its affiliated companies according to Sec. 15 et seq. German Stock Corporation Act (each an “Affiliate”). The Client shall be entitled to grant its own and Affiliates’ employees and representatives access to the SaaS-Solutions (each a “User”).
(2) For the operation and the use of the SaaS-Solutions, the system and software requirements specified by Buynomics must be complied with. Compliance with the system requirements lies solely in Client’s area of responsibility.
(3) The source code shall remain solely with Buynomics. The rights of Client to decompile according to Sections 69d and 69e German Copyright Act shall remain unaffected.
(4) Client shall not be authorized to remove or change copyright notices, trademarks, ownership information as well as other features for the identification of the Buynomics’ SaaS-Solution.
Section 4 – Availability
(1) The SaaS-Solutions of Buynomics are available on 99% of the time on an annual average.
(2) Maintenance services announced at least seven (7) days in advance (at a maximum of 3 hours/week on an annual average) will not be considered in the calculation of Section 4(1).
(3) Buynomics endeavors to perform maintenance services at times at which – on average – the SaaS-Solutions are not used frequently (i.e. on weekends).
Section 5 – Registration; Account
(1) For each Client an administrator account is created in which the Client can activate Users of the SaaS-Solution. For each User an own user account has to be created.
(2) For the creation of each account, a full name, address and e-mail-address have to be indicated. The Client ensures the accuracy of account information and keeps this information up-to-date.
(3) An account is personalized and may only be used by the registered User.
(4) The Client is obliged to use secure passwords (at least 8 characters, including a special character) and not to keep any written notes about passwords. The Client commits its Users to a correspondingly careful handling of passwords.
(5) Buynomics may suspend a user account / administrator account if there are indications that it has been used unauthorized and / or attempted or unauthorized access to the SaaS-Solution from the user account / administrator account or the backend systems of Buynomics (“hacking”). In such a case, Buynomics will promptly notify the Client via the e-mail address linked to the user account / administrator account.
(6) Access to the SaaS-Solution requires an Internet browser (Google Chrome is recommended) in its current version. The device that calls the SaaS-Solution must be connected to the Internet.
Section 6 – Liability
(1) In case of personal injury or death as well as for deliberate and grossly negligent actions, Buynomics has unlimited liability.
(2) Buynomics shall be liable for slight negligent actions only in cases of a breach of duty essential to the purposes of this SaaS-Agreement ("wesentliche Vertragspflicht"). Duties are considered essential if necessary for the due execution of the SaaS-Agreement, so Client may regularly rely on proper observation.
(3) In the events described in Section 6 (2), Buynomics’ liability for any lack of commercial results, indirect damages and loss of profits is excluded.
(4) Liability according to Section 6 (2) shall be limited to typical and foreseeable damages at the time of conclusion of the SaaS-Agreement.
(5) Liability for loss of data in the event of Section 6 (2) shall be limited to the recovery costs which would have arisen if backup copies had been regularly made in appropriate relation to the risk of such loss.
(6) Occurrences of force majeure (including strikes, lockouts and similar occurrences, insofar as they cannot be foreseen, are severe, and are not the fault of Buynomics), which make it significantly more difficult or impossible for Buynomics to provide the services owed, shall entitle Buynomics to postpone the performance of the obligations by the duration of the obstacle and an appropriate start-up period.
(7) Limitations of liability shall also apply to employees, subcontractors and agents of Buynomics.
(8) A potential liability of Buynomics for any explicit guarantees or claims based on Product Liability Law remains unaffected.
(9) Further liability of Buynomics (in particular the non-fault liability in terms of defects existing when the Agreement is concluded under Sec. 536a para. 1 of the German Civil Code) is excluded.
Section 7 – Client’s duty of care and security
(1) Client is obliged to use an up-to-date virus scanner / inspection program to check files that Client uploads to Buynomics in advance for viruses, worms, trojan horses, etc. that may impair the integrity of files and/or computer hardware and software. Buynomics shall, insofar as it discovers such files or components, notify Client thereof without undue delay. If such files or components pose a direct risk to the functioning or integrity of the SaaS-Solutions or the facilities of third parties, Buynomics may delete such data or components in order to avoid damage. This may be done even without informing Client in advance if the associated risk cannot be mitigated in any other way with appropriate financial and time effort.
(2) If there are signs of use contrary to these Terms and Conditions, Buynomics shall be entitled, taking into account the severity of the breach with regard to the interests of Client, to block the access of Client and/or individual employees to SaaS-Solution until the signs are refuted. Client shall be notified thereof.
Section 8 – Payment models; Termination
(1) The commercial terms are agreed on in the SaaS Agreement.
(2) Invoicing takes place at the beginning of each billing period agreed upon in advance. Invoiced fees are due within 30 days upon invoicing.
(3) The fees for the SaaS-Solutions do not include manual services. Buynomics may charge extra services, which include manual work, separately. Details will be defined in a separate agreement.
(4) If due license payment is not received, Buynomics may charge interest on arrears at the level defined by statutory German law. Buynomics shall, furthermore, be entitled, without prejudice to other rights, to block Client’s use from using the SaaS-Solution after issuing a reminder giving a reasonable payment deadline.
(5) The right of termination for good cause remains unaffected for both Parties.
In particular, Buynomics is entitled to terminate the SaaS-Agreement without notice if Client is in default with agreed-upon payment for more than six (6) weeks and if Buynomics has informed Client of the intended termination in written or text form at least two (2) weeks before the termination is supposed to become effective.
(6) All fees are exclusive of any withholding taxes or other taxes deducted at source imposed by a foreign tax authority or other governmental authority and/or payable under the provisions of law (“Withholding Taxes”). If Client is required to pay withholding taxes, Client shall nevertheless pay the full agreed fees to Buynomics. Buynomics shall provide Client with reasonable assistance in obtaining a refund of the Withholding Tax; in this case, Client shall indemnify Buynomics for any costs incurred.
Section 9 -Switching between Data Processing Services according to the EU Data Act
(1) The Parties agree on the following special provisions relating to Article 23 et sec EU Data Act.
(2) Any obligation of Buynomics under this section 9 is subject to Client’s request to switch to another data processing service. Such other data processing service must cover the same service type as the SaaS-Solutions according to Article 23 EU Data Act.
(3) Client may terminate the SaaS-Agreement by providing written notice of at least 60 days (“Notice Period”). Client’s rights according to Article 25 III EU Data Act to opt for switching to on-premises software or erasure remain unaffected.
(4) Upon receipt of such notice, the Parties shall commence a 30-day transition period (“Transition Period”) during which Buynomics will facilitate porting of exportable data, encompassing solely (i) data uploaded by the Client during the SaaS-Agreement’s term, and (ii) metadata generated automatically by the SaaS-Solution’s core functionalities. Excluded are (a) data derived from Buynomics’ proprietary algorithms, (b) third-party data integrated via the SaaS-Solutions, and (c) system logs or diagnostic data, provided a risk of breach of trade secrets of Buynomics exists and that such exemptions do not impede or delay the switching process provided for in Article 23 EU Data Act.
(5) If the Transition Period is technically unfeasible, Buynomics shall notify Client within 14 working days after the switching request and shall duly justify the technical unfeasibility and indicate an alternative transitional period, which shall not exceed seven months.
(6) Client may extend the Transitional Period once for a period that Client considers more appropriate for its own purposes.
(7) The SaaS-Agreement automatically terminates upon either (a) successful completion of the Transition Period or (b) expiry of the Notice Period if Client does not wish to switch but to erase its exportable data and digital assets upon termination.
(8) Upon Client’s request, Buynomics shall fulfil all obligations as to providing information, assistance, and support (e.g. data erasure) according to Article 25 EU Data Act.
(9) Buynomics makes no representations regarding the functional equivalence of the SaaS-Solutions with alternative offerings. Client acknowledges that configuration adjustments, third-party integrations, or redevelopment may be required to achieve intended outcomes in a new environment.
(10) Until 11 January 2027, Buynomics may levy reasonable fees for transition assistance, calculated at Buynomics’ then-current professional services rates. Such fees shall not exceed 125% of the average monthly recurring fee paid by Client during the preceding 12 months.
(11) In consideration of the termination according to this section 9, Client shall pay a termination fee amounting to 70% of the agreed fees that would have been payable for the remaining term of the SaaS-Agreement.
Section 10 – Feedback
To the extent Client or any of its Affiliates provides Buynomics with any suggestions or other feedback regarding the SaaS-Solutions (collectively, “Feedback”), Client (on behalf of itself and its Affiliates) grants to Buynomics an unlimited, non-exclusive, perpetual, irrevocable, royalty-free, transferable, worldwide, sub-licensable right to use, modify, disclose and otherwise fully commercialize and exploit such Feedback for any and all purposes.
Section 11 – Data processing
If Buynomics processes personal data of Client and Client’s employees within the scope of Art. 28 GDPR, the data processing agreement in Annex 1 shall apply.
Section 12 – Final provisions
(1) Should individual provisions of these Terms and Conditions be or become ineffective, they shall be replaced by provisions most closely resembling the economic intent of the ineffective provision. Should a provision of these Terms and Conditions be or become ineffective, the effectiveness of the remaining provisions of these Terms and Conditions or agreements shall remain unaffected.
(2) The SaaS-Agreement shall be governed by and construed in accordance with the laws of Germany. Exclusive legal venue shall be Cologne, Germany, where Client is a legal entity under public law.
Schedule 1: Data Processing Agreement
1. Scope of Application
To fulfill Buynomics’ obligations under the SaaS-Agreement (“Agreement”) between the Parties, Buynomics processes personal data submitted by Client and its Users; and Client acts as data controller in terms of applicable data protection laws (“Commissioned Data”). This Annex specifies the data protection obligations and the Parties’ rights in connection with processing of Commissioned Data.
2. Scope of the commissioning/Right of Client to issue instructions
2.1 Buynomics shall process the Commissioned Data exclusively on behalf of and in accordance with Client’s instructions.
2.2 Section 2.1 does not apply if Buynomics is legally obliged to a data processing.
2.3 Buynomics shall notify Client of any applicable legal restrictions before processing, unless that law prohibits such notification on important grounds of public interest.
2.4 Buynomics’ processing of Commissioned Data is limited to the type, scope and purpose determined in Schedule 1 to this Annex. Buynomics’ processing relates exclusively to the types of personal data and categories of data subjects identified in Schedule 1 to this Annex.
2.5 Client may issue instructions by using the functions of the Software.
2.6 Client may issue instructions about the type, extent, purpose and means of the processing of Commissioned Data.
2.7 Buynomics shall immediately inform Client if, in its opinion, an instruction infringes the GDPR or any other applicable data protection provisions.
2.8 The duration of processing corresponds to the duration of the Agreement.
3. Requirements for Buynomics personnel
3.1 Buynomics shall ensure all personnel engaged in the processing of Commissioned Data are adequately bound to confidentiality obligations in writing.
3.2 Buynomics shall be responsible that natural persons acting under Buynomics’ authority who have access to Commissioned Data will process such data only on Buynomics’ instructions, unless they are obliged to process the data in accordance with the law of the European Union or the Member States.
4. Security of processing
4.1 Considering the state-of-the-art technology, the implementation costs and the nature, the scope, circumstances and purposes of the processing of Commissioned Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, Buynomics shall take appropriate technical and organizational measures to ensure an appropriate level of protection for the Commissioned Data. Schedule 2 details this obligation in greater detail.
4.2 Prior to processing Commissioned Data and throughout the term of the Agreement, Buynomics shall establish and maintain, as well as develop further (if necessary), the technical and organizational measures detailed in Schedule 2. Buynomics will ensure the processing of Commissioned Data will occur in accordance with those measures.
5. Engagement of further processors
5.1 Client authorizes Buynomics to engage subprocessors. Buynomics’ current subprocessors are listed in Schedule 3.
5.2 Buynomics shall inform Client of its intention to engage a new subcontractor. Client may reasonably oppose the proposed engagement of a new subcontractor. Client shall notify Buynomics of such objections in writing within 14 days after receipt of Buynomics’ notice relating to such new subcontractor. If the Parties cannot resolve the objections, Buynomics will not make the proposed engagement. If Client does not object the engagement of a new subprocessor, Buynomics shall document these changes to the list of subcontractors and proactively make these available to Client (e.g. by e-mail).
5.3 The Software is run in multi-tenant environment. Thus, Client’s objection may lead to a degradation, in whole or in part, in the Software and service levels agreed in the Agreement. In such instance, the Parties will attempt to resolve the situation amicably. If the Parties are unable to do so, Buynomics may terminate the Agreement extraordinarily. Partial terminations are permitted.
5.4 Buynomics shall contractually impose the same data protection obligations on each subprocessor as set out in this Annex.
5.5 Prior to each engagement and regularly throughout the term of the engagement, Buynomics shall monitor the subprocessor’s technical and organizational measures to ensure their processing of Commissioned Data occurs in accordance with this Annex.
5.6 If subprocessors outside the European Union / the European Economic Area are engaged, Buynomics will fulfill the requirements of Art. 44 (and following) GDPR.
6. Data subject’s rights
6.1 Buynomics shall use commercially reasonable efforts to support Client in fulfilling Client’s obligations to respond to requests exercising data subjects' rights.
6.2 Buynomics shall (i) inform Client without undue delay if a data subject contacts Buynomics with a request for exercising his or her rights in relation to Commissioned Data; and (ii) on request, provide Client with all reasonably necessary information available to Buynomics regarding the processing of Commissioned Data which Client needs to respond to the data subject’s request.
7. Other support obligations of Buynomics
7.1 Buynomics shall notify Client without undue delay, but not later than forty-eight (48) hours after becoming aware of any breach of Commissioned Data, including incidents that lead to the destruction, loss, alteration or unauthorized disclosure of or access to Commissioned Data. If possible, Buynomics’ initial notification shall include a description of: (i) the nature of the breach, indicating, as far as possible, the categories and the approximate number of affected data subjects, the categories and the approximate number of affected personal data sets; (ii) the likely consequences of the breach; and (iii) the measures taken or proposed by Buynomics to remedy the breach and, where appropriate, measures taken to mitigate potential adverse effects.
7.2 If Client must notify supervisory authorities and/or data subjects in accordance with Art. 33, 34 of GDPR, Buynomics shall assist Client’s notification compliance efforts, if requested.
7.3 Buynomics shall use commercially reasonable efforts to assist Client with data protection impact assessments, and if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.
8. Deletion and return of Commissioned Data
8.1 Upon termination or expiration of the Agreement, Buynomics shall either completely and irrevocably delete or return all Commissioned Data to Client, unless Buynomics is obligated by law to retain Commissioned Data.
8.2 At any point before the termination or expiration of the Agreement, Client may extract certain Commissioned Data in machine-readable format (Excel).
8.3 Buynomics has implemented appropriate deletion concepts, the current version of which can be provided to Client upon request.
9. Evidence and audits
9.1 Buynomics is responsible for and shall regularly monitor that the processing of Commissioned Data is consistent with this Annex, including the extent of the Commissioned Data as specified in Schedule 1 and with the instructions of Client.
9.2 Buynomics shall document its compliance with this Annex in an appropriate manner and provide Client with appropriate evidence upon request. The documentation includes: (i) the confidentiality obligations of natural persons who process Commissioned Data; (ii) breaches of Commissioned Data occurring in Buynomics’ sphere of influence, including related facts, their effects and the remedial measures taken; (iii) as detailed in section 5, all subprocessor agreements and audits; and (iv) Client’s instruction to and the subsequent deletion of Commissioned Data.
9.3 Client shall be entitled to audit Buynomics by himself or through a commissioned auditor bound to secrecy prior to the start of the processing of Commissioned Data and regularly during the term of the Agreement with regard to compliance with the provisions of this Annex, in particular the implementation of the technical and organizational measures as defined in Schedule 2; including inspections. Buynomics will use reasonable efforts to facilitate such audits, including: (i) granting the necessary entry and access rights; (ii) and the provision of necessary information—provided that the data of other Buynomics Clients remains intact throughout the whole process.
|
Purposes |
Purpose of processing:
|
|
Categories of data subjects |
The following categories of data subjects’ personal data may be processed:
|
|
Categories of personal data |
The following categories of personal data may be processed:
|
|
Sensitive data |
None |
Schedule 2: Technical and Organisational Measures
This annex details the technical and organisational measures implemented by Buynomics to ensure a level of security appropriate to the risk, in accordance with Article 32 of the General Data Protection Regulation (GDPR). The measures are designed to protect the rights of data subjects and ensure the security of personal data processed on behalf of Client.
Technical and organizational measures in the form of Art. 32 GDPR
Version 1.3.0, Nov. 18 2024
Measures that are likely to deny unauthorized persons access to data processing systems with which personal data is processed or used.
|
☒ |
Alarm system |
☒ |
Protection of building shafts |
|
☒ |
Automatic access control system |
☒ |
Chip card/transponder locking system |
|
☒ |
Video surveillance of accesses |
☒ |
Security locks |
|
☒ |
Key regulation (key allocation, etc.) |
☒ |
Person control at the gatekeeper / reception |
|
☒ |
Manual locking system |
☒ |
Careful selection of cleaning staff |
|
☒ |
Careful selection of security guards |
☒ |
Backup of the data processing system and the workstation computer |
|
☒ |
Securing and limiting access routes |
☒ |
Other:___________________________ |
Measures that are suitable to prevent data processing systems from being used by unauthorized persons.
|
☒ |
Assignment of user rights |
☒ |
Create user profiles |
|
☒ |
Password allocation |
☒ |
Authentication with biometric methods |
|
☒ |
Authentication with username / password |
☒ |
Assignment of user profiles to IT systems |
|
☒ |
Housing locks |
☒ |
Use of VPN technology |
|
☐ |
Blocking external interfaces (USB etc.) |
☒ |
Security locks |
|
☒ |
Key regulation (key allocation, etc.) |
☒ |
Person control at the gatekeeper / reception |
|
☒ |
Recording of visitors |
☒ |
Careful selection of cleaning staff |
|
☒ |
Careful selection of security guards |
☐ |
Obligation to carry entitlement cards |
|
☒ |
Use of intrusion detection systems |
☒ |
Encryption of mobile disks |
|
☒ |
Encryption of smartphone content |
☒ |
Use of central smartphone administration software (e. g. for external deletion of data) |
|
☒ |
Use of anti-virus software |
☒ |
Encryption of data carriers in laptops / notebooks |
|
☒ |
Use of a hardware firewall |
☒ |
Use of a software firewall |
|
☒ |
Obligation to comply with data protection |
☒ |
Collection and analysis of data use |
|
☒ |
Use of combined access systems by means of a representational key (e. g. chip card) and password |
☒ |
Controlled destruction of data carriers |
|
☒ |
Special control of the use of utility programs where they are unable to circumvent security measures |
☐ |
Other:___________________________ |
Measures to ensure that those entitled to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use and after storage.
|
☒ |
Create a permission concept |
☒ |
Management of rights by system administrator |
|
☒ |
Number of administrators reduced to the "most necessary" |
☒ |
Password policy incl. password length |
|
☒ |
Logging of access to applications, especially when entering, modifying, and deleting data |
☒ |
Secure storage of disks |
|
☒ |
Physical deletion of disks before reuse |
☒ |
Proper destruction of data carriers (DIN 32757) |
|
☒ |
Use of document shredders or service providers (if possible, with data protection seal of approval) |
☒ |
Recording of destruction |
|
☒ |
Encryption of data carriers |
☒ |
Automatic logout of inactive users for a long time |
|
☒ |
Automatic blocking of user accounts if several incorrect passwords have been entered |
☒ |
Encryption of data with a particular security risk |
|
☒ |
Ensuring that entrances to rooms where data processing systems are located can be completed |
☒ |
Issuance of data carriers only by authorized persons |
|
☒ |
Guidelines to control the production of backup copies |
☐ |
Other:___________________________ |
Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which points the transfer of personal data by data transmission facilities is envisaged.
|
☒ |
Facilities of leased lines or VPN tunnels |
☒ |
Disclosure of data in anonymized or pseudonymized form |
|
☒ |
E-mail encryption and encryption for other data transmission |
☒ |
Create an overview of regular retrieval and delivery operations |
|
☒ |
Documentation of the recipients of data and the periods of time of the planned transfer or agreed deletion periods |
☒ |
During physical transport: safe transport containers/packaging |
|
☒ |
Documentation of the destination of the data transfer and the transmission route |
☒ |
Monitoring the completeness and correctness of the data transfer |
|
☒ |
In physical transport: careful selection of transport personnel and vehicles |
☒ |
Prohibition of carrying bags into the security area |
|
☒ |
Inclusion of data carriers containing confidential information |
☒ |
Safety Lockers |
|
☒ |
Deletion of remaining personal data before a disk change |
☐ |
Other:____________________________ |
Measures to ensure that it can be subsequently checked and determined whether and by whom personal data have been entered, changed, or removed into data processing systems.
|
☒ |
Logging of the entry, modification and deletion of data |
☒ |
Create an overview that shows which applications can be used to enter, change and delete which data. |
|
☒ |
Traceability of input, modification and deletion of data by individual user names (not user groups) |
☒ |
Retention of forms from which data has been transferred to automated processing |
|
☒ |
Assignment of rights to enter, modify and delete data on the basis of an authorization concept |
☒ |
Automatic logging of data processing, in particular the use of data |
|
☐ |
Other:___________________________ |
Measures to ensure that personal data processed on behalf can only be processed in accordance with the instructions of the client.
|
☒ |
Selection of the contractor from a due diligence point of view (in particular regarding data security) |
☒ |
Prior examination and documentation of the security measures taken by the contractor |
|
☒ |
Written instructions to the contractor (e. g. by order data processing contract) in the context of § 11 para. 2 BDSG |
☒ |
Obligation of the contractor's employees to data secrecy (§ 5 BDSG) |
|
☒ |
Contractor has appointed data protection officer |
☒ |
Ensuring the destruction of data after completion of the order |
|
☒ |
Effective control rights vis-à-vis the contractor agreed |
☒ |
Ongoing review of the contractor and his activities |
|
☒ |
Contractual penalties for violations |
☒ |
Internal data protection regulations, procedures, and guidelines of the contractor, insofar as they relate to the transmission of personal data by the client |
|
☒ |
Creation of an emergency plan (backup plan) |
☐ |
Other:__________________________ |
Measures to ensure that personal data is protected against accidental destruction or loss.
|
☒ |
Uninterruptible power supply (UPS) |
☒ |
Air conditioning in server rooms |
|
☒ |
Devices for monitoring temperature and humidity in server rooms |
☒ |
Protective socket strips in server rooms |
|
☒ |
Fire and smoke alarm systems |
☒ |
Fire extinguishers in server rooms |
|
☒ |
Alarm message in case of unauthorized access to server rooms |
☒ |
Create a backup &recovery concept |
|
☒ |
Testing data recovery |
☒ |
Create an emergency plan |
|
☒ |
Keep data backup in a secure, outsourced location |
☒ |
Server rooms not under sanitary facilities |
|
☒ |
In flood areas: server rooms above the water limit |
☒ |
Use of anti-virus software |
|
☒ |
Use of a software firewall |
☒ |
Protection software update policy |
|
☐ |
Other:____________________________ |
Measures to ensure that data collected for different purposes can be processed separately.
|
☒ |
Physically separate storage on separate systems or data carriers |
☒ |
Logical tenant separation (software side) |
|
☒ |
Creation of an authorization concept |
☒ |
Encryption of records processed for the same purpose |
|
☒ |
Providing the records with purpose attributes/data fields |
☒ |
For pseudonymized data: Separation of the assignment file and storage on a separate, secure IT system |
|
☒ |
Definition of database rights |
☒ |
Separation of production and test system |
|
☐ |
Other:____________________________ |
|
☒ |
Software solutions for data protection management |
☒ |
Internal/external IT security officer |
|
☒ |
Central documentation of all procedures and regulations on data protection with access for employees as required/authorization (e. g. wiki, intranet) |
☒ |
Carrying out a data protection impact assessment if necessary |
|
☒ |
Employees trained and committed to confidentiality/data secrecy |
☒ |
Formalized process for processing requests for information on the part of data subject is available |
|
☒ |
Verification of the effectiveness of the technical protective measures shall be carried out at least 1 x per year |
☒ |
Regular sensitization of employees |
|
☒ |
Internal/external data protection officer |
☐ |
Other (please describe): |
Assistance in responding to security breaches.
|
☒ |
Use of firewall and regular updating |
☒ |
Documented procedure for dealing with security incidents |
|
☒ |
Use of spam filters and regular updating |
☒ |
Involvement of the data protection officer in security incidents and data breaches |
|
☒ |
Use of virus scanners and regular updating |
☒ |
Involvement of the security officer in security incidents and data breaches |
|
☒ |
Documentation of security incidents and data breaches |
☒ |
Formalized process and responsibilities for the rectification of security incidents and data breaches |
|
☒ |
Documented process for detecting and reporting security incidents/data breaches |
☐ |
Other (please describe): |
Privacy by design / Privacy by default
|
☒ |
No more personal data is collected than is required for the respective purpose |
☒ |
Simple interpretation of the right of withdrawal of the person concerned by technical and organizational measures |
|
☐ |
Other (please describe): |
☐ |
Schedule 3: Subprocessors
|
Subprocessor |
Purpose / Service |
Place of data processing |
Level of protection and guarantees of the subprocessor |
|
Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L-1855, Luxembourg (“AWS”) |
Hosting, Cloud Services |
https://aws.amazon.com/de/compliance/iso-certified/ |
|
|
Intercom R&D Unlimited Company 124 St Stephen’s Green, Dublin 2, D02 C628 |
Customer chat & help center |
||
|
LogRocket, Inc 87 Summer Street, 3rd Floor
|
Product Analytics |
