SaaS agreement on Order Processing

(Status: January 2020)
This agreement on order data processing applies to the use of software functionalities on the basis of Software as a Service (SaaS) from Weiss AG, Merkurstraße 45, 67663 Kaiserslautern by the customer. It is part of a written contract (also concluded in electronic form) between Weiss AG and the customer and applies to personal data processed by Weiss AG and any sub-processors used in connection with the provision of the SaaS service.
It applies to all activities in connection with the SaaS Service and for which employees of Weiss AG or agents of Weiss AG process personal data (“Data”) of the Customer.

§ 1 Subject matter, Duration and Specification of Order Processing

  • 1.1
    It is possible for Weiss AG to process personal data for the customer based on the SaaS Service in accordance with the EU Data Protection Basic Regulation (Art. 4 No. 2 and Art. 28 DSGVO) based on this agreement.
  • 1.2
    The term of this agreement shall depend on the booking period of the SaaS Service unless obligations beyond this arise from the provisions of this agreement.
  • 1.3
    The subject and duration of the order as well as the type and purpose of the processing result from the contract.
  • 1.4
    The processing potentially includes any personal data. It is at the sole discretion of the customer whether and which personal data is stored in the VAM2 database. Only the collection and storage of the following personal data is mandatory for the provision of the SaaS Service for a fee: name, e-mail account, age and depending on the payment method used, the respective money transaction data.
  • 1.5
    Data processing may potentially affect any group of persons. The customer exclusively determines the data subjects. As a service for storing all data of end users, all data of the end user are stored and are therefore subject to data processing as defined.
All information provided by the end user within the scope of registration, service and support requests, payment will be stored. Furthermore, the End User may store any digitized data. Since the administrators of Weiss AG have access to the servers, they theoretically also have access to this data.
The collection and storage of the following data are mandatory for the provision of the service in return for payment (SaaS): name, email, age and, depending on the payment method used, the respective money transaction data.
As a service for storing all data of end users, all data of the end user are stored and are therefore subject to data processing according to the definition.

§ 2 Obligations of Weiss AG

  • 2.1
    Weiss AG processes personal data exclusively as contractually agreed or as instructed by the customer unless Weiss AG is legally obliged to specific processing. If such an obligation exists for Weiss AG, the customer will be informed by Weiss AG before processing, unless notification is prohibited by law. The data provided for processing will under no circumstances be used for purposes beyond this.
  • 2.2
    Weiss AG shall take the technical and organizational measures to ensure adequate protection of the customer’s personal data. These measures shall ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of personal data. These technical and organizational measures are listed in Annex 1. The customer is responsible for ensuring that these provide an appropriate level of protection for the risks of the data to be processed.
  • 2.3
    Weiss AG guarantees to comply with its obligations under the EU Data Protection Basic Regulation and to use a procedure to regularly check the effectiveness of the technical and organizational measures to ensure the security of the processing.
  • 2.4
    Weiss AG reserves the right to make changes to the technical and organizational measures taken. However, it must be ensured that the contractually agreed level of protection is not undercut.
  • 2.5
    Weiss AG shall support the customer, to the extent agreed and within the scope of its possibilities, in fulfilling the requests and claims of persons affected under Chapter III of the DS-GVO as well as in meeting the obligations set out in Articles 33 to 36 of the DS-GVO. Weiss AG may demand appropriate remuneration for this. Weiss AG may only provide information to third parties or the affected party with the prior consent of the customer. Requests addressed directly to Weiss AG will be forwarded to the customer without delay, and Weiss AG will not itself act in an external relationship with third parties.
  • 2.6
    Weiss AG shall inform the customer immediately as soon as it becomes aware of any violations of the protection of personal data of the customer. Weiss AG shall take the necessary measures to secure the personal data and to reduce possible adverse consequences for the persons concerned.
  • 2.7
    The correction and deletion of personal data is the responsibility of the customer. The same applies to the restriction of the processing of personal data.
  • 2.8
    Weiss AG guarantees that employees involved in the processing of the client’s data and other persons working for the client are prohibited from processing personal data outside the scope of the instructions. Also, it is guaranteed that the persons authorized to handle the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The obligation of confidentiality shall continue to apply even after the termination of the order.
  • 2.9
    The contact details of the data protection officer appointed on behalf of Weiss AG are stored at imprint.
  • 2.10
    he personal data will be deleted after the end of the booking period. It is the customer’s responsibility to make backup copies of his personal data and to move the personal data before the end of the contract. Weiss AG is not obliged to disclose personal data to which the customer himself has access.
  • 2.11
    Weiss AG shall prove to the customer by appropriate means that the obligations laid down in this contract have been fulfilled.
  • 2.12
    Should inspections by the customer or an auditor commissioned by the customer be necessary in individual cases, these shall be carried out during regular business hours without disrupting the operating procedure after registration, taking into account an appropriate lead time. The customer may make this dependent on prior notification with a reasonable lead time and the signing of a confidentiality agreement concerning the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the customer is in a competitive relationship with Weiss AG, Weiss AG shall have a right of objection against this.
  • 2.13
    If a data protection supervisory authority or another sovereign supervisory authority of the customer carries out an inspection, § 2.10 shall apply accordingly. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or legal confidentiality, where a violation is punishable under the Criminal Code.

§ 3 Obligations of the customer

  • 3.1
    The customer is responsible for the quality of the personal data. The customer must inform Weiss AG immediately and completely if it detects any errors or irregularities regarding data protection regulations or its services.
  • 3.2
    In the event of a claim by a third person concerned with regard to any claims pursuant to Art. 82 DS-GVO, the customer and Weiss AG undertake to support each other in defending against the claim.

§ 4 Subcontractors

  • 4.1
    The use of subcontractors as further contract processors is only permissible if the client has given his prior consent.
  • 4.2
    A subcontractor agreement subject to approval exists if the contractor commissions further contractors with all or part of the performance agreed in the contract. The contractor will make agreements with these third parties to the extent necessary to ensure adequate data protection and information security measures.
  • 4.3
    The contractually agreed services or the partial services described below shall be performed with the involvement of the following subcontractor:
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

§ 5 Liability

  • 5.1
    The limitations of liability set out in the SaaS Conditions shall apply.
  • 5.2
    The customer shall indemnify Weiss AG against all claims asserted by third parties against Weiss AG due to the violation of their rights due to the processing of personal data commissioned by the customer, unless the third party’s claim is based on the processing of personal data by Weiss AG contrary to instructions.

§ 6 Duty to provide information, written form clause, choice of law

  • 6.1
    If the customer’s data at Weiss AG is endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, Weiss AG must inform the customer immediately. Weiss AG will immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the customer as the “person responsible” within the meaning of the Basic Data Protection Regulation.
  • 6.2
    Amendments and supplements to this Annex and all its components – including any assurances given by the Contractor – shall require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that these Terms and Conditions have been amended or supplemented. This also applies to the waiver of this formal requirement.
  • 6.3
    In the event of any contradictions, the provisions of this data protection agreement shall apply to the provisions of the contract. Should individual parts of this agreement be ineffective, this does not affect the effectiveness of the rest of the agreement.
  • 6.4
    German law applies.

Technical and Organizational Measures to Ensure Data Privacy

1. Organisation

  • Data protection officer:
    Weiss AG has currently appointed the following data protection officer:
    Jens Wacker
    Merkurstraße 45
    67663 Kaiserslautern
    Phone: +49 631 4140490
    Mobile: +49 151-56344016

1. Measures to ensure Confidentiality

a) Access Control (premises)

Unauthorized access to buildings or rooms with data processing systems, with which personal data is processed or used, must be denied
– Visitors only have access to the entrance area after an employee has opened the door
– Keys and key allocation are handed over by an employee according to a defined process
– The doors are protected against unauthorized persons by appropriate security technology
– Unaccompanied visitors are not allowed to move / stay in the office
– Regular inspection of the site by a security service outside of business hours

b) Access (entrance) and user control (Systems)

Measures to prevent data processing systems from being used by unauthorized persons. – Computer workstations are secured by individual passwords and automatic locking after
inactivity after time. – Ban on sharing passwords
– Use of VPN technology
– The accesses are password protected
– Access is only available to authorized employees
– Remote access is only possible via encrypted connections
– All servers and client systems are protected by a regularly maintained firewall
– The passwords used must have a minimum length and are renewed at regular intervals

c) Access control (data)

Measures to ensure that those entitled to use a data processing system can only access data that is subject to their access rights and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.
– The user rights are assigned differently and user profiles are created.
– The system administrator manages the user rights.
– The number of administrators is reduced to the minimum necessary.
– Obligation of all employees to maintain confidentiality.
– Storage of personal data in lockable cupboards.
– All employees must throw out printed information with personal data and / or
– Employees are prohibited from installing unauthorized software on the end devices

d) Transfer control

Measures to ensure that personal data cannot be illegally read, copied, modified or removed during electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish to which locations personal data are transferred by data transmission means.
– Firewall technologies are implemented according to the state of the art
– Leased lines or VPN tunnels are set up

e) Job Control

Measures, to ensure that personal data processed in the order can only be processed in accordance with the instructions of the customer.
– Existing agreements on order processing
– Our employees are instructed in data protection law at regular intervals and they are familiar with the procedural instructions and user guidelines for data processing on behalf, also with regard to the client’s right to issue instructions.
– Weiss AG has an internal data protection officer.

3. Integrity

a) Input control

Measures to ensure that stored personal data cannot be corrupted in case of system malfunctions.
  • Measures to ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input.
  • All employees are instructed in accordance with Article 32 Paragraph 4 of the DS-GVO and are obliged to ensure that personal data is handled in compliance with data protection regulations.
  • Traceability of input, modification and deletion of data through individual user names.
  • Deletion of data in accordance with data protection regulations after completion of the order.

b) Documentation control

Measures to ensure that procedures for the processing of personal data are documented in a manner that allows reasonable traceability.
  • Maintenance of a processing register
  • Documentation of the IT systems used and their system configuration

4. Availability control

Measures to ensure that personal data are protected against loss and destruction.
  • Fire and smoke alarms are available
  • Monitoring of temperature and humidity in server rooms
  • Backup data stored in a secure and separate location
  • Existing of a concept for disaster management

5. Separation control

Measures to ensure that personal data collected for different purposes can be processed separately.
  • Definition of technology of database rights
  • Separation of data from different clients

6. Ensuring the resilience of the systems

means regularly checking their own system for possible unprotected sites.
  • The import of backups is tested regularly.
  • All server systems are subject to monitoring, which in the event of faults immediately triggers reports to an administrator.