Appendix II: Data Processing Addendum

In the course of rendering services as per the Konvo GmbH Terms & Conditions (hereinafter referred to as “Terms & Conditions”), it is necessary that Konvo GmbH (hereinafter referred to as “Software Provider”) deals with personal data with regard to which you (hereinafter referred to as “Client”) act as a controller in terms of data protection law (hereinafter referred to as “Client Data”). This agreement amends the Terms & Services and specifies the data protection obligations and rights of the parties in connection with the Software Provider's use of Client Data to render the services under the Terms & Conditions.

1. Subject of the Agreement

Any data subject may, at any time, contact us directly with all questions and suggestions concerning data protection.

E-Mail: [email protected]

2. Scope of the commissioning

2.1 The Software Provider shall process the Client Data on behalf and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (Processing on Behalf). The Client remains the controller in terms of data protection law.

2.2 The processing of Client Data by the Software Provider occurs in the manner and the scope and for the purpose determined in Annex 1 to this agreement; the processing relates to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Terms & Conditions.

2.3 The Software Provider reserves the right to anonymize or aggregate the Client Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-​based designing, developing and optimizing as well as rendering of the services agreed as per the Terms & Conditions. The parties agree that anonymized and according to the above requirement aggregated Client Data are not considered Client Data for the purposes of this agreement.

2.4 The Software Provider may process and use the Client Data for his own purposes as controller to the extent legally permitted by data protection law, if permitted by a statutory permission or consent by the data subject. This Agreement does not apply to such data processing.

2.5 The processing of Client Data by the Software Provider shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Software Provider is nevertheless permitted to process Client Data in accordance with the provisions of this agreement outside the EEA if he informs the Client in advance about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3. Right of the Client to issue instructions

3.1 The Software Provider processes the Client Data in accordance with the instructions of the Client unless the Software Provider is legally required to do otherwise. In the latter case, the Software Provider shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 The instructions of the Client are in principle conclusively stipulated and documented in the provisions of this agreement. Individual instructions which deviate from the stipulations of this agreement, or which impose additional requirements shall require the Software Provider's consent and shall be made in accordance with the change request procedure laid down in the Terms & Conditions, the instruction shall be documented and any additional costs incurred by the Software Provider as a result thereof shall be borne by the Client.

3.3 The Software Provider shall ensure that the Client Data is processed in accordance with the instructions given by the Client. If the Software Provider is of the opinion that an instruction given by the Client infringes this agreement or applicable data protection law, he is after correspondingly informing the Client entitled to suspend the execution of the instruction until the Client confirms the instruction. The parties agree that the sole responsibility for the processing of the Client Data in accordance with the instructions lies with the Client.

4. Legal Responsibility of the Client

4.1 The Client is solely responsible for the permissibility of the processing of the Client Data and for safeguarding the rights of data subjects in the relationship between the parties. Should third parties assert claims against the Software Provider based on the processing of Client Data in accordance with this agreement, the Client shall indemnify the Software Provider from all such claims upon first request.

4.2 The Client is responsible to provide the Software Provider with the Client Data in time for the rendering of services according to the Terms & Conditions and he is responsible for the quality of the Client Data. The Client shall inform the Software Provider immediately and completely if during the examination of the of the Software Provider's results he finds errors or irregularities with regard to data protection provisions or his instructions.

4.3 On request, the Client shall provide the Software Provider with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Software Provider himself.

4.4 If the Software Provider is required to provide information to a governmental body or person on the processing of Client Data or to cooperate with these bodies in any other way, the Client is obliged at first request to assist the Software Provider in providing such information and in fulfilling other cooperation obligations.

5. Requirements for personnel and systems

The Software Provider shall commit all persons engaged in processing Client Data to confidentiality with respect to the processing of Client Data.

6. Security of processing

6.1 The Software Provider takes according to Art. 32 GDPR necessary, appropriate technical and organizational measures, considering the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Client Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Client Data appropriate to the risk.

6.2 The Software Provider shall have the right to modify technical and organizational measures during the term of the agreement, as long as they continue to comply with the statutory requirements.

7. Engagement of further processors

7.1 The Client grants the Software Provider the general authorization to engage further processors with regard to the processing of Client Data. Further processors consulted at the time of conclusion of the agreement result from Annex 2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Client Data cannot be excluded, as long as the Software Provider takes reasonable steps to protect the confidentiality of the Client Data.

7.2 The Software Provider shall notify the Client of any intended changes in relation to the consultation or replacement of further processors. In individual cases, the Client has the right to object to the engagement of a potential further processor. An objection may only be raised by the Client for important reasons which have to be proven to the Software Provider. Insofar as the Client does not object within 14 days after receipt of the notification, his right to object to the corresponding engagement lapses. If the Client objects, the Software Provider is entitled to terminate the Terms & Conditions and this agreement with a notice period of 3 months.

7.3 The agreement between the Software Provider and the further processor must impose the same obligations on the latter as those incumbents upon the Software Provider under this agreement. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in Art. 28 para. 3 GDPR are imposed on the further processor.

7.4 Subject to compliance with the requirements of Section 2.5 of this agreement, the provisions of this Section 7 shall also apply if a further processor in a third country is involved. The Client hereby authorizes the Software Provider to conclude an agreement with another processor on behalf of the Client based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Client declares his willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

8. Data subjects’ rights

8.1 The Software Provider shall support the Client within reason by virtue of technical and organizational measures in fulfilling the latter’s obligation to respond to requests for exercising data subjects’ rights.

8.2 As far as a data subject submits a request for the exercise of his rights directly to the Software Provider, the Software Provider will forward this request to the Client in a timely manner.

8.3 The Software Provider shall inform the Client of any information relating to the stored Client Data, about the recipients of Client Data to which the Software Provider shall disclose it in accordance with the instruction and about the purpose of storage, as far as the Client does not have this information at his disposal and as far as he is not able to collect it himself.

8.4 The Software Provider shall, within the bounds of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by the Software Provider as a result of this and to be proven enable the Client to correct, delete or restrict the further processing of Client Data, or at the instruction of the Client correct, block or restrict further processing himself, if and to the extent that this is impossible for the Client.

8.5 Insofar as the data subject has a right of data portability vis-​à-​vis the Client in respect of the Client Data pursuant to Art. 20 GDPR, the Software Provider shall support the Client within the bounds of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result of this and to be proven in handing over the Client Data in a structured, commonly used and machine-​readable format, if the Client is unable to obtain the data elsewhere.

9. Notification and support obligations of the Software Provider

9.1 Insofar as the Client is subject to a statutory notification obligation due to a breach of the security of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Software Provider shall inform the Client in a timely manner of any reportable events in his area of responsibility. The Software Provider shall assist the Client in fulfilling the notification obligations at the latter’s request to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result thereof and to be proven.

9.2 The Software Provider shall assist the Client to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result thereof and to be proven with data protection impact assessments to be carried out by the Client and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.

10. Evidence and audits

10.1 The Software Provider shall provide the Client, at the latter’s request, with all information required and available to the Software Provider to prove compliance with his obligations under this agreement.

10.2 The Client shall be entitled to audit the Software Provider with regard to compliance with the provisions of this agreement, in particular the implementation of the technical and organizational measures; including inspections.

10.3 In order to carry out inspections in accordance with Section 11.2., the Client is entitled to access the business premises of the Software Provider in which Client Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification in accordance with Section 11.5 at his own expense, without disruption of the course of business and under strict secrecy of the Software Provider's business and trade secrets.

10.4 The Software Provider is entitled, at his own discretion and taking into account the legal obligations of the Client, not to disclose information which is sensitive with regard to the Software Provider's business or if the Software Provider would be in breach of statutory or other contractual provisions as a result of its disclosure. The Client is not entitled to get access to data or information about the Software Provider's other clients, cost information, quality control and contract management reports, or any other confidential data of the Software Provider that is not directly relevant for the agreed audit purposes.

10.5 The Client shall inform the Software Provider in good time (usually at least two weeks in advance) of all circumstances relation to the performance of the audit. The Client may carry out one audit per calendar year. Further audits are carried out against reimbursement of the costs and after consultation with the Software Provider.

10.6 If the Client commissions a third party to carry out the audit, the Client shall obligate the third party in writing the same way as the Client is obliged vis-​à-​vis the Software Provider according to this Section 11 of this agreement. In addition, the Client shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Software Provider, the Client shall immediately submit to him the commitment agreements with the third party. The Client may not commission any of the Software Provider's competitors to carry out the audit.

10.7 At the discretion of the Software Provider, proof of compliance with the obligations under this agreement may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-​Grundschutz – (“audit report”), if the audit report makes it possible for the Client in an appropriate manner to convince himself of compliance with the contractual obligations.

11. Contract term and termination

11.1 The term and termination of this agreement shall be governed by the term and termination provisions of the Terms & Conditions. A termination of the Terms & Conditions automatically results in a cancellation of this agreement. An isolated termination of this contract is excluded.

12. Liability

12.1 The Software Provider's liability under this agreement shall be governed by the disclaimers and limitations of liability provided for in the Terms & Conditions. As far as third parties assert claims against the Software Provider which are caused by the Client’s culpable breach of this agreement or one of his obligations as the controller in terms of data protection law affecting him, the Client shall upon first request indemnify and hold the Software Provider harmless from these claims.

12.2 The Client undertakes to indemnify the Software Provider upon first request against all possible fines imposed on the Software Provider corresponding to the Client’s part of responsibility for the infringement sanctioned by the fine.

13. Final provisions

13.1 In case individual provisions of this agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

13.2 In case of conflicts between this agreement and other arrangements between the parties, in particular the Terms & Conditions, the provisions of this agreement shall prevail.

Annex:

1. Annex 1: Purpose, type and extent of the processing of Client Data, types of personal data and categories of data subjects

Annex 2: Further Processors

Annex 3: Technical and Organizational Measures (TOMs)

Annex 1: Purpose, type and extent of the processing of Client Data, types of personal data and categories of data subjects

Purpose of data processingEnabling AI-powered marketing services for the Client through according to the Terms & Conditions.
Type and extent of data processingClient Data will be processed in accordance with the Terms & Conditions which may include any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Types of personal dataPersonal data relating to individuals provided to Marketing Agency via in accordance with the services provided under the Terms & Conditions by (or at the direction of) Client or by Client’s (potential) customers, the extent of which is determined and controlled by Client in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data:First, Middle and Last NamePersonal contact information (phone number, E-Mail address, Facebook/WhatsApp and other instant-chat channels´ account information, physical addresses)Date of birth, gender, language, nationality, profile picturesShopping history (ordered products, number of orders, money spend, applied discounts, applied loyalty programs, wishlists, returns, service requests and general order preferences)Custom notes & properties (Date of birth, gender, language, nationality, profile pictures, sentiments, internal comments, tags, personal preferences)Tracking information (cookies, browser fingerprints, attribution Facebook Ad Manager) Conversational chat history from and to Client’s (potential) customers (messages, audio files, video files, other attachments)Survey & Feedback results (interviews, NPS scores, requests)Billing data & plan Productivity and performance analytics (sales, speed, customer satisfaction)
Client may submit special categories of data to Marketing Agency as a part of its Client Data, the extent of which is determined and controlled by Client in its sole discretion, and which is for the sake of clarity personal data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Categories of data subjectsClients` (potential) end customers, business owners, employees, advisors, partners, agencies and freelancers.

Annex 2: Further Processors

Company, addressType of processingPurposeType of dataCategories of data subjects
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, IrelandAll mentioned in Annex 1Google Cloud – Hosting of Client Data (Infrastructure) and data from Client’s (potential) End CustomerAll mentioned in Annex 1All mentioned in Annex 1
WhatsApp Inc., 1601 Willow Road Menlo Park, California 94025. USAAll mentioned in Annex 1Communication with Client’s (potential) End Customers (Service Provider)All mentioned in Annex 1All mentioned in Annex 1
Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, IrelandAll mentioned in Annex 1Communication with Client’s (potential) End Customers (Service Provider)All mentioned in Annex 1All mentioned in Annex 1
Functional Software, Inc. dba Sentry, 132 Hawthorne StSan Francisco, CA 94107All mentioned in Annex 1Error tracking and logging of Client’s (potential) End Customer informationAll mentioned in Annex 1All mentioned in Annex 1
Slack Technologies Ltd., One Park Place, 4th floor, Hatch Street Upper, Saint Kevin’s, Dublin 2, IrlandAll mentioned in Annex 1Client feedback and request handlingAll mentioned in Annex 1All mentioned in Annex 1

Annex 3: Technical and Organizational Measures (TOMs) – Security Services

The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Konvo GmbH (hereinafter referred to as “Konvo”) except where Client is responsible for security and privacy TOMs. Hoola GmbH reserves the right to revise these technical and organizational measures at any time, without notice, as long as any such revisions will they continue to comply with the statutory requirements.

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Konvo GmbH’ platform.
  2. Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
  3. Communication with Konvo GmbH applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model.
  4. Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
  5. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  6. Password controls designed to manage and control password strength, and policies including prohibiting users from sharing passwords.
  7. Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Konvo GmbH technology and information assets.
  8. Incident / problem management procedures designed to allow Konvo GmbH investigate, respond to, mitigate and notify of events related to Konvo GmbH technology and information assets.
  9. Vulnerability assessment, patch management, and scheduled monitoring procedures designed to identify and assess identified security threats, and other malicious code.
  10. Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
  11. Furthermore, in case the provided client service is deployed on Google Cloud Platform, we refer also to their technical and organizational measures keeping the platform secure.

co-funded by EU logo.
berlin senatorial administration logo.
backed by htw logo.