Legal information

AGB

Privacy Policy

Order data processing

Imprint

Order processing according to Art. 28 DSGVO

The following contract is concluded between the Commitly customer (responsible party or client) and Commitly GmbH (order processor or contractor).

PREAMBLE

A contract exists between the Controller and the Processor for the use by the Controller of the Commitly software described in more detail in Section 1 (hereinafter referred to as the License Agreement). The Processor supports the Controller in implementing its own business purposes in connection with the Service Agreement - a transfer of "functions" is expressly not intended.

1. SUBJECT OF THE AGREEMENT

  1. The user has the possibility to connect existing bank accounts at German and Austrian financial institutions with Commitly and to prepare his finances according to the entrepreneurial requirements and to create plans for future payment flows on this basis. The connection is made by providing an interface between the account-holding bank and Commitly by an external service provider.
  2. As part of the connection, the turnover list of the connected account is read out via an automated interface in read-only access. Primarily, the following information is transferred: Date of the turnover (value date), business partner of the transaction (sender or recipient), description of the transaction (purpose or reference), currency, amount. Technically, additional data can be transmitted by the bank.
  3. In addition to the collection, processing and use of data on behalf of Commitly as the main purpose, personal data is collected, processed or used, among other things, in the context of customer, supplier and personnel management as well as for other purposes (e.g. business partner and prospect support, assistance and support, analysis and improvement of Commitly's range of services, market analyses and marketing measures).
  4. The subject matter of this order is furthermore set out in the existing license agreement to which reference is made herein (hereinafter "License Agreement"). This concerns the processing of personal data (hereinafter "Data") by the Processor for the Controller in connection with the use of the Commitly software.

2. DURATION OF THE AGREEMENT

The term of this agreement corresponds to the term of the licence agreement.

3. OBLIGATIONS OF THE CONTRACTOR

  1. The Contractor undertakes to process data and processing results exclusively within the scope of the written documented orders of the Customer. If the Contractor receives an official order to release data of the Customer, the Contractor shall - to the extent permitted by law - inform the Customer thereof without undue delay and refer the authority to the Customer. Similarly, processing of the data for the Contractor's own purposes shall require a written order.
  2. The Contractor declares in a legally binding manner that it has obligated all persons entrusted with the data processing to maintain confidentiality prior to commencement of the activity or that they are subject to an appropriate statutory confidentiality obligation. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after termination of their activity and leaving the Contractor.
  3. The Contractor declares in a legally binding manner that it has taken all necessary measures to ensure the security of the processing in accordance with Art 32 DSGVO (details can be found in Annex 1 ).
  4. The Contractor shall take the technical and organizational measures to ensure that the Client can fulfill the rights of the data subject under Chapter III of the GDPR (information, access, correction and deletion, data portability, objection, as well as automated decision-making in individual cases) at any time within the statutory time limits and shall provide the Client with all information necessary for this purpose. If a corresponding request is addressed to the Contractor and the Contractor indicates that the Applicant mistakenly believes it to be the principal of the data processing operated by it, the Contractor shall immediately forward the request to the Principal and inform the Applicant thereof.
  5. The Contractor shall support the Client in complying with the obligations set out in Art 32 to 36 GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation).
  6. The Contractor is advised that it must set up a processing directory in accordance with Art. 30 DSGVO for the present commissioned processing.
  7. With regard to the processing of the data provided by the Customer, the Customer shall be granted the right to inspect and control the data processing facilities at any time, including through third parties commissioned by the Customer. The Contractor undertakes to make available to the Customer such information as is necessary to monitor compliance with the obligations set forth in this Agreement.
  8. After termination of this Agreement, the Contractor shall be obliged to destroy all processing results and documents containing data on behalf of the Customer. If the Contractor processes the data in a special technical format, it shall be obliged to return the data after termination of this Agreement either in this format or, at the Client's request, in the format in which it received the data from the Client or in another common format.
  9. The Contractor shall inform the Customer without undue delay if it believes that an instruction of the Customer violates data protection provisions of the Union or the Member States.

4. technical-organizational measures

  1. The Contractor shall oblige external data centers and other sub-processors to organize their internal operations in such a way that they meet the special requirements of data protection. In particular, data processing shall take place on data processing equipment for which the data center or other subcontracted processor has taken all technical and organizational measures to protect personal data.
  2. The Contractor shall establish security pursuant to Art. 28 Para. 3 lit. c, 32 DSGVO, in particular in connection with Art. 5 Para. 1, Para. 2 DSGVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR must be taken into account (details in Annex 1).
  3. The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes shall be documented.

5. SUBCONTRACTING RELATIONSHIPS

  1. Subcontracting relationships within the meaning of this Agreement shall be understood to be those services which directly relate to the provision of the main service. This does not include ancillary services which the Processor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor shall be obligated to implement appropriate and legally compliant contractual agreements and control measures to ensure data protection and data security of the Controller's data, even in the case of outsourced ancillary services.
  2. The outsourcing to sub-processors or the change of the existing approved sub-processors are permissible insofar as the Processor notifies the Controller of the planned commissioning of a sub-processor in writing or in text form within a reasonable period of time, but at least two weeks in advance, and the Controller does not object to the planned outsourcing to the Processor in writing or in text form by the time of the transfer of the data and a contractual agreement in accordance with Article 28 (4) of the GDPR is used as a basis. In the event of an objection by the Controller, the Processor shall have an extraordinary right of termination with respect to both this Agreement and the Service Agreement.
  3. The Controller consents to the engagement of the subcontractors notified in Annex 2 prior to the start of the Processing, subject to the condition of a contractual agreement in accordance with Article 28(4) of the GDPR.
  4. If the subcontractor provides the agreed service outside the EU/EEA and there is no decision pursuant to Art 45 (3) GDPR, the processor shall ensure data protection law admissibility by taking sufficient adequate safeguards within the meaning of Art 46 GDPR.The transfer of personal data of the controller to the subprocessor and its first activity are only permitted when all requirements for subcontracting are met.
 

ANNEX 1 - TECHNICAL-ORGANIZATIONAL MEASURES

1. CONFIDENTIALITY (ART. 32 PARA. 1 LIT. B DSGVO)

A. Access control - data center rooms:

  • Commitly customer data is processed and stored in data centers of AWS Frankfurt. All necessary measures have been taken in accordance with Art. 32 DSGVO.

B. Access control:

  • User and administrator access to the Commitly system is based on a role-based access authorization model. Each user is assigned a unique ID to ensure that all system components can only be used by authorized users and administrators.
  • Technical policies exist for password complexity and password rotation.
  • Commitly applies the principle of minimum authorization. Each user is given only the access rights necessary to perform his contractual activities. User accounts are always initially granted the fewest access rights. For granting access rights beyond the minimum authorization, a corresponding authorization must be available.
  • Use of firewall systems, virus scanners and intrusion detection systems on Commitly server systems
  • On Commitly IT equipment (e.g. notebooks) virus scanners are installed, which contain a malware detection and an email filter.
  • Access to Commitly server systems is SSH encrypted ("public key") through a BastionHost that restricts access to network devices and other cloud components.
  • All Commitly server systems store data exclusively on encrypted media.

C. Access control:

  • Access authorization to Commitly production systems is limited to a small group of employees ("Commitly system administrators")
  • All accesses to Commitly productive systems by Commitly system administrators are logged with UserID, timestamp and reason and stored GoBD-compliant for 10 years.
  • Commitly System administrators do not have access to the access logs
  • There is an internal control system that ensures that the legality of access to Commitly production systems is regularly checked on a random basis and that these random checks are also logged.

D. Separation control:

  • Data records of different Commitly customers are specially marked in a uniform database (TenantID, software-based multi-client capability).
  • Test and production data are strictly separated in independent systems, development systems are also independent from test and production systems
  • Different domains certificates for test and production systems

2. INTEGRITY (ART. 32 PARA. 1 LIT. B DSGVO)

A. Transfer control:

  • Data transfer between Commitly server systems takes place exclusively within demarcated subsystems shielded by BastionHosts
  • As far as data is transmitted to commissioned partners, these data transmission channels are always TLS encrypted
  • Where this is technically possible, VPN connections are used
  • As far as possible, data will only be used in anonymized or pseudonymized form.
  • pass on (e.g. Google anonymizeIP)
  • Data retrieval and transmission activities are logged

B. Input control:

  • Relevant entries and operations in Commitly are logged as a function for the customer.

3. AVAILABILITY AND RESILIENCE (ART. 32 PARA. 1 LIT. B DSGVO)

A. Availability control:

  • Automatic backup copies and backups of all Commitly customer data are created on a regular basis
  • There is a concept for the reconstruction of the data stocks and also a regular check that the data backups can actually be restored (data integrity of the backups)
  • Commitly productive systems are designed with multiple redundancies

B. Rapid recoverability (Art. 32(1)(c) GDPR):

  • - Multi-redundant design of server systems and databases - backups are regularly checked for re-importability

4. procedure for regular review, evaluation and evaluation (art. 32 (1) (d) of the regulation; art. 25 (1) of the regulation)

  1. Data protection management is an integral part of the processes and activities of Commitly GmbH, with corresponding planning for measures to deal with opportunities/risks and the provision of appropriate resources, competencies, awareness and communication.
  2. Dedicated incident response management has not been established, but is a fixed component of data protection management.
  3. Privacy-friendly default settings (Art. 25 (2) GDPR)
  4. Order Control:
    • No commissioned data processing within the meaning of Art. 28 DSGVO without corresponding instructions from the controller
    • Clear, unambiguous instructions
    • Preventing unauthorised third parties from accessing the data
    • Prohibition to copy data in an unauthorized manner
    • Agreements on the type of data transfer and its documentation
    • Control rights by the client
    • Strict selection of service providers
    • Follow-up checks

Commitly GmbH (as at: 26.08.2022)

ANNEX 2 - SUBCONTRACTED PROCESSORS

The Controller consents to the assignment of the following sub-processors under the condition of a contractual agreement in accordance with Article 28 (24) of the GDPR:

No

Company

Address

Power

Third country transfers

1

finAPI GmbH (interface provider)

Ainmillerstrasse 11, 80801 Munich, Germany

Uniform interface for retrieving online banking information

 

2

Chargebee Inc (subscription management)

340 S Lemon Avenue, #1537, Walnut, California 91789, USA

Subscription Management Software

Standard contractual clauses / DSGVO information

https://www.chargebee.com/docs/2.0/eu-gdpr.html

3

PayPal (Europe) S.à r.l. et Cie, S.C.A. (payment processing)

22-24 Boulevard Royal L-2449, Luxembourg

Settlement of payments between Commitly and its users

Standard Contractual Clauses

https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE

4

Intercom Inc (Customer Experience)

55 2nd Street, 4th Floor, San Francisco, California, 94105, USA

Medium for communication and help area within our product(s).

Standard Contractual Clauses

https://www.intercom.com/de/legal/data-processing-agreement

5

Amazon Web Services Inc ("AWS Frankfurt")

410 Terry Avenue North, Seattle WA 98109, USA

Hosting and operational tasks

Standard Contractual Clauses

https://d1.awsstatic.com/whitepapers/Security/navigating-compliance-with-eu-data-transfer-requirements.pdf

6

Mailchimp (Newsletter Management)

Rocket Science Group, Leon Ave NE, Suite 500, Atlanta, GA 30308, USA

Sending of our newsletter to registered interested parties as well as sending of transactional emails

Standard Contractual Clauses

https://mailchimp.com/de/legal/data-processing-addendum/

7

Zendesk (Support Management)

Zendesk, Inc, 989 Market Street #300, San Francisco, CA 94102, USA

Customer support system

Standard Contractual Clauses

https://www.zendesk.de/blog/eu-us-data-transfers-after-schrems-ii/

https://support.zendesk.com/hc/en-us/articles/4408883599130

8

Pipedrive (CRM Management)

PIPEDRIVE IRELAND LIMITED, 4th Floor, 7/8 Wilton Terrace, Dublin 2

Customer communication

Standard Contractual Clauses

https://www.pipedrive.com/en/terms-of-service

https://www.pipedrive.com/en/privacy

9

Google Inc.

Amphitheatre Parkway, Mountain View, CA 94043, USA

Internal and external communication via Google Workspace

Standard Contractual Clauses

https://workspace.google.com/terms/dpa_terms.html

COMMITLY Order processing DSGVO

20220826-Contract processing Art 28 - DSVGO - Commitly