Data Processing Agreement

This agreement is between the customer ("Customer") who might be a Controller or Processor of End User Personal Data as defined by the GDPR, and numericmill e.U., Pater-Schwartz-Gasse 11A, 1150 Vienna, Austria ("FactBranch") who is a Processor and operates the service FactBranch.

Definitions

  • Account Management Page: The page of FactBranch where Customer can manage their account and accept this data processing agreement.
  • Customer Personal Data: Personal data of Customer. May include email address of primary contact at Customer, data protection officer, invoice address etc.
  • End User: The user or customer of Customer for which Customer is a Controller or Processor.
  • End User Personal Data: Personal data of End User.

Subject Matter

Subject of these terms is providing the service FactBranch as outlined in the terms of service. This agreement supplements the terms of service and existing privacy policy.

The main purpose of FactBranch is to process, forward and display End User data. Including but not limited to email address, name, address, account type, revenue, etc of including but not limited to End Users, employees, prospects, suppliers, etc. Customer may choose to give FactBranch access to different data categories. Customer warrants that they have permission to use FactBranch as a processor.

Duration of the Agreement

These terms will take effect on 25 May 2018 or when Customer accepts these terms on their Account Management Page, whichever is later. The agreement will stay in effect as long as FactBranch provides the services to Customer and will expire automatically when FactBranch deletes all of Customer’s data as described in this agreement.

FactBranch’s Obligations

FactBranch processes data and processing results exclusively within the scope of Customer's written orders. If FactBranch receives an official order to release data of Customer to authorities, FactBranch shall - insofar as legally permissible - inform Customer without delay and refer the authority to the latter.

FactBranch declares that they have obligated all persons commissioned with data processing to confidentiality prior to commencing the activity or that they are subject to an appropriate statutory confidentiality obligation. In particular, the obligation of confidentiality of persons commissioned with data processing also remains valid after the termination of their duties and their departure from FactBranch.

FactBranch hereby declares that they have taken all necessary measures to ensure the safety of the processing under Art. 32 GDPR (details can be found in Appendix 1).

FactBranch shall take technical and organizational measures to assist Customer in meeting the rights of the data subject in accordance with Chapter III of the GDPR (information, correction and deletion, data portability, objection and automated decision-making in individual cases) within the statutory periods and gives Customer all necessary information.

FactBranch shall assist Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notification of personal data breaches to the supervisory authority, notification of the person concerned by an infringement of the protection of personal data, data protection impact assessment, prior consultation).

Customer acknowledges that FactBranch is required to set up a processing list in accordance with Art. 30 GDPR. This list includes names and contact details of each Customer, where applicable Customer’s local representative and data protection officer. FactBranch may make this list available to the supervisory authorities. Customer will provide the information via their Account Management Page and will ensure that all details and information is kept up-to-date and accurate.

FactBranch will grant Customer, including third parties commissioned by them, the right to inspect and conduct audits to check FactBranch’s compliance with these terms. FactBranch will provide Customer with the information necessary to control compliance with the obligations set out in this Agreement.

After termination of this agreement, FactBranch will delete all End User Personal Data and Customer Personal Data if legally permissible.

FactBranch must inform Customer immediately if FactBranch believes that an instruction by Customer violates data protection regulations of the European Union or the member states.

Place of Data Processing

Data processing activities are at least partly carried out outside the EU / EEA, in the United States of America. The adequate level of data protection results from an adequacy finding of the European Commission under Art. 45 GDPR and the EU-U.S. Privacy Shield.

Sub-Processors

FactBranch is entitled to involve sub-processors. Information about the current sub-processors, their location and function, may be found at the list of subprocessors.

Customer shall be notified by email about intended changes or addition of sub-processors at least 14 days in advance. Customer may object to changed or new sub-processors by terminating their subscription to FactBranch immediately. This termination right is Customer’s only remedy should they object to any new sub-processors.

FactBranch concludes the necessary agreements with the sub-processor within the meaning of Art. 28 (4) GDPR. In doing so, it must be ensured that the subcontractor undertakes the same obligations as FactBranch under this agreement.

Appendix 1: Technical and organizational measures

Confidentiality

  • Access control: protection against unauthorized system use: passwords (including appropriate policies), two-factor authentication, encryption of data; No unauthorized reading, copying, modification or removal within the system;
  • Pseudonymization: If possible for the respective data processing, the primary identification features of the personal data in the respective data application are pseudonymized.

Integrity

  • Encryption: All network traffic is encrypted.

Availability and resilience

  • Availability control: backups, redundancy;
  • Deletion deadlines: End User Personal Data is not persisted. All Customer Personal Data is deleted within a year after account cancellation. Where necessary for documentation purposes data records are kept and pseudonymized.

Procedures for periodic review, evaluation and evaluation

  • Privacy management;
  • Evaluation of sub-processors;
  • Incident response management;
  • Privacy-friendly presets;