AgreementonOrderDataProcessing
1. Scope of application
1.1 Scope of application: This agreement on order data processing applies to the legal relationship between Zippsafe AG, including all domestic and international subsidiaries, and its customers (hereinafter jointly referred to as the “parties”); provided, however, that this agreement on order data processing is not relevant to customers of Zippsafe USA Inc. to the extent that U.S. data protection, data privacy and similar laws do not regulate the collection, processing, storing and/or controlling within the U.S. of personal data and information as contemplated by the order forms supplied by Zippsafe USA Inc..
1.2 Subject matter: The subject matter of this agreement is the processing of personal data in the context of fulfilling the obligations arising from the offer by Zippsafe AG. The subject of the data processing are the categories of data and persons listed in the offer.
1.3 Period of validity: The agreement remains valid as long as Zippsafe AG processes personal data on behalf of the customer, including beyond the end of the contract if personal data continues to be processed by Zippsafe AG after the conclusion of the contractual relationship. After termination of the contract, the right to audit is limited to written requests.
2. Data processing
2.1 Data processing locations: Processing of data takes place in the country where it is collected, in the European Union, in Switzerland, or in any combination thereof.
2.2 Use of subcontracted processors: Zippsafe AG is entitled to engage subcontracted processors to fulfill the service. Before commissioning new subcontractors, Zippsafe AG shall inform the customer in writing at least four weeks in advance. The customer may object to the engagement of a subcontractor in justified cases. If the customer does not raise an objection within four weeks of being informed, the subcontractor shall be considered approved. In case of disagreement, both parties reserve the right to terminate the contract with a 30 day notice period.
2.3 Confidentiality and training: Zippsafe AG only uses persons or subcontractors who are contractually or legally obliged to maintain confidentiality and who are familiar with the relevant data protection regulations.
2.4 Personal data shall only be processed in accordance with documented instructions from the customer. Verbal instructions must be confirmed immediately in written form. If Zippsafe AG is of the opinion that an instruction violates data protection law, it will inform the customer of this and suspend processing until the customer confirms the instruction in writing.
2.5 Intended use of the data: Zippsafe AG commits to using the personal data exclusively for the purposes specified in the offer. Exceptions include the disclosure of data in response to official inquiries or for legal enforcement purposes, in which case Zippsafe AG will inform the customer as soon as possible, provided such notification is permissible.
2.6 Copies: No copies or duplicates of the data will be made without the customer's knowledge. Exceptions from this are backup copies and other technically necessary copies, insofar as they are necessary to ensure proper data processing.
2.7 Data deletion: At the customer’s request, but at the latest upon termination of the contract, Zippsafe AG shall delete all personal data of the customer, subject to other agreements (e.g. backup storage), for legal prosecution purposes or due to statutory retention obligations.
3. Controls and evidence
3.1 Inspection rights of the customer: Zippsafe AG allows the customer or an inspector authorized by the customer to conduct audits regarding compliance with this agreement, whereby the inspector may not be in direct or indirect competition with Zippsafe AG. Such audits must be announced at least 4 weeks in advance. The customer is entitled to one free audit day per year. Additional expenses on the part of Zippsafe AG must be remunerated by the customer at normal market rates. The costs for an inspector authorized by the customer shall be borne by the customer.
3.2 Proof: Instead of an on-site audit, Zippsafe AG shall upon request, provide written evidence of compliance (e.g., by disclosing audit reports, certifications, or other test results, such as penetration tests). If Zippsafe AG has an ISO-27001 or equivalent certification that includes the scope of application, evidence of the appropriateness of the technical and organizational measures is deemed to have been provided and there is only a right to an on-site audit in justified cases of suspicion.
4. Safety measures
4.1 Technical and organizational measures: Zippsafe AG ensures the security of data through appropriate technical and organizational measures. These measures are subject to technical progress, and Zippsafe AG can implement alternative adequate measures as long as the security level is not undercut and significant changes are documented. Zippsafe AG takes the following technical and organizational measures on its infrastructure and in its organization.
Access controls (Identity and Access Management (IAM), data access only with authentication, Multi-Factor Authentication (MFA) for all accesses, Privileged Access Management (PAM), password rules, least privilege principle, need-to-know principle).
Encryption and backup (data encrypted at-rest and in-transit, backups and business continuity management (BCM) concept).
Security measures (firewalls, endpoint detection and response (EDR)/extended detection and response (XDR), hardware and software inventories, malware protection, up-to-date patch management, separation of productive and other systems, information security directive).
4.2 Notification of security incidents: Zippsafe AG will inform the customer within 48 hours of detecting a security incident.
4.3 Support services: Zippsafe AG supports the customer in the preparation of data protection impact assessments, in responding to inquiries from data subjects and in the event of inquiries or inspections by authorities regarding personal data. Zippsafe AG may charge the customer for any costs incurred.
