‍1.   Scopeand duration

(1)  Subject

The subject matter of the order results from the KUNO Service Agreement to which reference is made here (hereinafter referred to as Framework Agreement).

(2)  Duration

The orderis limited for the period of the Framework Agreement and may be terminated by either party according to the applicable Terms and Conditions (in their current form available on www.kuno.io). The possibility of termination without notice remains unaffected. In any case, the order ends with effective termination of the Framework Agreement.

2.   Specificationof the data processing agreement

(1)  Nature and purpose of the intended processing of data

• The nature and purpose of the processing of personal data by the Processor for the Controller are specifically described in the Framework Agreement.          

• The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Controller and may only take place if the special requirements of Artt. 44 et seq. DS-GVO are fulfilled. The appropriate level of protection for sub-processors in the United States of America is established by standard data protection clauses (Art. 46 para. 2 lit. c and d DS-GVO) and other measures (use of data servers in the European Union).

(2)  Type of data

The  subject of the processing of personal data are the types/categories of data  listed as follows.

a)    The  subject of the processing of personal data in the area of Human Resources  Administration and Payroll Accounting:

• Contact details (e.g. first and last  name, address, e-mail address, telephone number)
• Correspondences
• Identification numbers (e.g. social  security number, tax number, tax ID, passport or ID card number, insurance  number)
• Payment data (e.g. example account  number, credit card number, financial institution)
• Physical characteristics (e.g.  application photos)
• Awards (e.g. testimonials and  certificates)
• Information about ethnic and cultural  origin
• Information on political, religious,  and philosophical worldview (e.g., church tax record)
• Health data (e.g. medical diagnoses,  certificates of incapacity for work)
• Information on trade union affiliations
• Genetic and biometric data (e.g.  gender, geometry of the face)

b)    The  following data types/categories are the subject of the processing of personal  data in Finance Operations:

• Contact details (e.g. first and last  name, address, e-mail address, telephone number)
• Correspondences
• Payment data (e.g. example account  number, credit card number, financial institution)
• Customer data (e.g. billing data, user  profiles, address, order history, payment data, CRM data)

(3)  Categories of affected persons

The categories of data subjects  affected by the processing include:

• Clients
• Interested parties
• Employees
• Suppliers
• Sales representatives
• Contact
• Applicants
• Business partners
• Investors

‍

3.    Technical-organizational measures

(1)  The  Processor shall document the implementation of the technical and  organizational measures set out and required in the run-up to the award of  the contract before the start of the processing, in particular with regard to  the specific execution of the contract and shall hand them over to the Controller  for inspection. If accepted by the Controller, the documented measures shall  become the basis of the order. Insofar as the examination/audit of the  Controller reveals a need for adaptation, this shall be implemented by mutual  agreement.

(2)  The  Processor shall establish security pursuant to Art. 28 Para. 3 lit. c, 32  DS-GVO, in particular in connection with Art. 5 Para. 1, Para. 2 DS-GVO. Overall,  the measures to be taken are data security measures and to ensure a level of  protection appropriate to the risk with regard to confidentiality, integrity,  availability and the resilience of the systems. The state of the art, the  implementation costs and the nature, scope and purposes of the processing as  well as the varying likelihood and severity of the risk to the rights and  freedoms of natural persons within the meaning of Article 32 (1) of the GDPR  must be taken into account (details in Exhibit 1).

(3)   The technical and organizational  measures are subject to technical progress and further development. In this  respect, the Processor is permitted to implement alternative adequate  measures. In doing so, the security level of the specified measures must not  be undercut. Significant changes shall be documented.

4.   Correction, restriction and erasure of  personal data

(1)  Insofar  as a data subject asserts its data subject rights directly against the  Processor, the Processor shall immediately forward this request to the Controller.  The Processor may not correct, delete, restrict the processing of or provide  information about the data processed on behalf of the Controller on its own  authority, but only in accordance with the Controller's documented  instructions.

(2)  Upon  the documented instruction of the Controller, the Processor shall immediately  carry out the requested deletion, correction, restriction, data transfer or  information and shall provide the Controller with written evidence thereof.

5.   Quality assurance and other  obligations of the Processor

In addition to compliance with the provisions of this Order, the Processor  shall have statutory obligations pursuant to Art. 28 to 33 of the GDPR; in  this respect, the Processor shall in particular ensure compliance with the  following requirements:

1. Written appointment of a data protection officer  who performs his activities in accordance with Artt. 38 and 39 DS-GVO. The Processor's data protection officer is currently: Intelliant GmbH, represented by Philipp Dannenberg, Immanuelkirchstraße 3-4, 10405Berlin, dpo@intelliant.de
2. Maintaining  confidentiality in accordance with Art. 28 (3) p. 2 lit. b, 29, 32 (4)  DS-GVO. When performing the work, the Processor shall only use employees who  have been obligated to maintain confidentiality and who have previously been  familiarized with the data protection provisions relevant to them. The Processor  and any person subordinate to the Processor who has access to personal data  may process this data exclusively in accordance with the Controller's  instructions, including the powers granted in this contract, unless they are  legally obliged to process it.
3. The implementation of and compliance with all  technical and organizational measures required for this order in accordance  with Artt. 28 (3) p. 2 lit. c, 32 DS-GVO (details in Exhibit 1).
4. The  Controller and the Processor shall, upon request, cooperate with the  Supervisory Authority in the performance of its duties.
5. The  immediate information of the Controller about control actions and measures of  the supervisory authority, insofar as they relate to this order. This shall also  apply insofar as a competent authority investigates in the context of  administrative offense or criminal proceedings with regard to the processing  of personal data during the commissioned processing at the Processor.
6. Insofar as the Controller is exposed  to an inspection by the supervisory authority, administrative offense or  criminal proceedings, a liability claim by a data subject or a third party or  any other claim in connection with the commissioned processing at the Processor,  the Processor shall support the Controller to the best of its ability.
7. The Processor  shall regularly monitor the internal processes as well as the technical and  organizational measures to ensure that the processing in its area of  responsibility is carried out in accordance with the requirements of the  applicable data protection law and that the protection of the rights of the  data subject is guaranteed.
8. Verifiability  of the technical and organizational measures taken vis-à-vis the Controller  within the scope of its control powers pursuant to Section 7 of this  Agreement.

6.   Subcontracting

(1)  Subcontracting  relationships within the meaning of this provision shall be understood to be  those services which relate directly to the provision of the main service. This  does not include ancillary services which the Processor uses, for example, as  telecommunications services, postal/transport services, maintenance and user  service or the disposal of data carriers and other measures to ensure the  confidentiality, availability, integrity and resilience of the hardware and  software of data processing systems. However, the Processor shall be  obligated to implement appropriate and legally compliant contractual  agreements as well as control measures to ensure data protection and data  security of the Controller's data even in the case of outsourced ancillary  services.

(2)  The  Processor may engage sub-processors (further processors) only with the prior  express written or documented consent of the Controller.

1. The Controller consents to the commissioning of the sub-processors  listed in Exhibit 2 subject to the  condition of a  contractual agreement in accordance with Article 28 (2-4) of the GDPR;
2.  Outsourcing to sub-processors or changing the existing sub-processor  is permitted to the extent:

• the Processor notifies the Controller of such outsourcing to sub-processors  a reasonable time in advance in writing or text form, and
• the Controller does not object to the planned outsourcing in writing  or in text form to the Processor until one calendar week before the date of  the transfer of the data and
• a contractual agreement in accordance with Article 28 (2-4) of the  GDPR is used as a basis.

(3)  The  transfer of personal data of the Controller to the sub-processor and its  first activity shall be permitted only after all requirements for  subcontracting have been met.

(4)  If  the sub-processor provides the agreed service outside the EU/EEA, the Processor  shall ensure that it is permissible under data protection law by taking  appropriate measures. The same shall apply if service providers within the  meaning of Paragraph 1 Sentence 2 are to be used.

(5)  Further  outsourcing by the sub-processor requires the express consent of the main Processor  (at least in text form). All contractual regulations in the contractual chain  must also be imposed on the further sub-processor.

7.   Supervisory powers of the Controller

(1)  The  Controller shall have the right, in consultation with the Processor, to carry  out inspections of the Processor's technical and organizational measures or  to have such inspections carried out by inspectors to be named in individual  cases, provided that such inspectors are not in a competitive relationship  with the Processor. It shall have the right to satisfy itself of the Processor's  compliance with this Agreement in its business operations by means of spot  checks, which must generally be notified in good time.

(2)  The  Processor shall ensure that the Controller can satisfy itself of the Processor's  compliance with its obligations pursuant to Art. 28 of the GDPR. The Processor  undertakes to provide the Controller with the necessary information upon  request and, in particular, to provide evidence of the implementation of the  technical and organizational measures.

(3)  Evidence  of such measures, which do not only concern the specific order, can be  provided by

•  Compliance with approved rules of  conduct pursuant to Art. 40 DS-GVO confirmed by an independent body (e.g.  data protection officer, IT security department, data protection auditors,  quality auditors) or
• current attestations, reports or  report extracts from independent bodies (e.g. auditors, auditing, data  protection officers, IT security department, data protection auditors,  quality auditors).

(4)  The  Processor may claim remuneration for enabling inspections by the Controller.

8.   Communication in the case of  infringements by the Processor

(1)  The  Processor shall support the Controller in complying with the obligations set  out in Articles 32 to 36 of the GDPR regarding the security of personal data,  data breach notification obligations, data protection impact assessments and  prior consultations. This includes, among other things

1. ensuring an adequate level of protection through technical and  organizational measures that take into account the circumstances and purposes  of the processing, as well as the predicted likelihood and severity of a  potential security breach, and allow for the immediate detection of relevant  breach events,
2. the obligation to report personal data breaches to the Controller  without delay,
3. the obligation to support the Controller  within the scope of its duty to inform the data subject and to provide it  with all relevant information in this context without delay, the  support of the Controller for its data protection impact assessment,
4. support of the Controller within the  framework of prior consultations with the supervisory authority.
5. Outsourcing to sub-processors or changing the existing sub-processor  is permitted to the extent:

(2)   The Processor may claim compensation for support services that are not included  in the Statement of Work or are not due to the Processor's misconduct.

9.    Authority of the Controller to issue instructions

(1)  The  Controller shall confirm verbal instructions without delay (at least in text form).

(2)  The  Processor shall inform the Controller without delay if it is of the opinion  that an instruction violates data protection regulations. The Processor shall  be entitled to suspend the implementation of the corresponding instruction  until it is confirmed or amended by the Controller at least in text form.

‍

10. Deletion  and return of personal data

(1)  Copies  or duplicates of the data will not be made without the knowledge of the Controller. Excluded from this are security copies, insofar as they are  necessary to ensure proper data processing, as well as data that is required  with regard to compliance with statutory retention obligations.

(2)   After completion of the contractually agreed work or earlier upon request by the Controller - at the latest upon termination of the consulting agreement - the Processor shall hand over to the Controller all documents, processing and utilization  results created and data files related to the contractual relationship that  have come into its possession or, after prior consent, destroy them in  accordance with data protection requirements. The same shall apply to test and reject material. The protocol of the deletion shall be submitted upon request.

(3)  Documentation that serves as proof of orderly and proper data processing shall be retained  by the Processor beyond the end of the contract in accordance with the respective retention periods. The Processor may hand them over to the Controller at the end of the contract to relieve the Processor.

1.   Confidentiality (Art. 32 para. 1 lit. b DS-GVO)

  I.  Physical admission control measures

1. Realization  of the access protection to the premises is ensured through security service,  video surveillance in the entrance area as well as electronic / binding  access control system
2. Rooms are secured by security locks / smart card reader
3. Determination of authorized persons
4. Management  and documentation of personal access authorizations
5. Access control of visitors  and external personnel
6. Monitoring of the rooms outside the closing hours through security locks / smart card reader and security service

   II.  System access control measures

1. Access protection to all data  processing systems through user authentication
2. Existence of boot passwords (desktop  and laptops)
3. Full encryption of hard disks in standby and off state
4. WLAN security through deactivation of insecure  methods (e.g. WPS, WPA), password policies and a separate guest network
5. Access data, in particular passwords,  are managed in password managers
6. Strong authentication with the highest  level of protection by use of mechanisms that require both possession and  knowledge for authentication (2-step authentication) or Time-based  One-Time-Password (TOTP) + access data
7. Authentication secrets are transmitted  over the network only in encrypted form
8. Blocking in case of failed attempts  and process for resetting blocked access IDs through access blocking after 3  failed attempts and secure lock reset procedure
9. Users are instructed about the prohibition  of saving passwords and/or form entries (clients) (e.g. through storage in  the browser, "password databases," or sticky notes)
10. Determination of authorized persons through  the existence of role concepts (predefined user profiles), individually  assigned access rights as well as regular reviews of authorized persons
11. Management and documentation of  personal authentication media and access authorizations through a defined process  for requesting, approving, issuing and withdrawing authentication media and  access authorizations
12. Logging of the access through archived  successful and rejected access attempts (used identifier, computer, IP  address) and random evaluations
13. Measures at the user's workplace

• If the workstation or terminal is  inactive for more than 5 minutes, the system must be password protected
• Workstations and terminals are  protected against unauthorized use by the employee when temporarily leaving  the workplace
• All employees are trained and comply  to measures to protect the user workplace

III.  Data access control measures

1. Existence of rules and procedures for creating, modifying, deleting authorization profiles or user roles.
2. Use of passwords and defined password rules
3. The scope of the authorizations is limited to the minimum necessary for the respective task or function fulfillment (logically, temporally,  etc.).
4. Management and documentation of  personal access authorizations by means of a process for granting and revoking access authorizations and checking them, linking authorizations to an account, revoking them if the authorization is no longer valid, and retaining the documentation
5. Appropriate measures have been taken to prevent the concentration of different roles or access rights on one  person from giving this person an overpowering overall control in combination
6. Logging of data access by archiving read, input, change and delete transactions
7. Secure and encrypted storage of data media

IV.  Data separation control measures

1. Implementation and documentation of a separation of functions (e.g. dual control principle)
2. Existence of guidelines and work instructions
3. Existence of procedural  documentation
4. Technical  and organizational regulations and measures are in place to ensure separate  processing (storage, modification, deletion and transfer, etc.) and/or storage of data and/or data carriers with different contractual purpose

‍

  V.  Pseudonymization  measures (Art. 32 para. 1 lit. a DS-GVO; Art. 25 para. 1 DS-GVO)

1. Instruction of employees on the general implementation of pseudonymization, unless a  personal reference is absolutely necessary for processing
2. Instruction of employees on pseudonymization of data during communication and processing with subcontractors

2.   Integrity (Art. 32 para. 1 lit. b DS-GVO)

    I.  Transfer control measures

1. Existence of a regulation for the making of copies
2. Safety gateways through activated network/hardware  firewalls and personal/desktop firewalls activated by the user
3. Secure storage of data through  encryption
4. The use of mobile data carriers is limited to a minimum and takes  place exclusively in encrypted form
5. Employees are trained on existing  procedures for data medium management
6. Mandatory packaging and shipping regulations exist for the transport of personal data by means of data carriers
7. There are regulations for the destruction of data media and documents in compliance with data protection  requirements
8. For a data protection-compliant deletion/destruction process, data carriers as well as hardware components are deleted in a data protection-compliant manner before they are reused by  other users; recovery of the deleted data is not possible at all or only with  disproportionate effort
9. Deletion logs by logging the complete,  data protection-compliant and permanent deletion of data or data carriers  with customer data of the client and log archiving

 II.  Input control measures

1. Assignment of rights to enter, change  and delete data on the basis of an authorization concept
2. The entry, modification and deletion of data are logged and archived
3. Traceability of input, modification  and deletion of data through individual user names

III.  Availability  and resilience control measures (Art. 32 para. 1 lit. b DS-GVO)

1. A backup concept exists, including the designation of the responsible person and representative, and it is regularly checked whether it is possible to restore a backup
2. An emergency plan exists in which the steps to be taken are listed and it is determined which persons, in particular also on the part of the customer, are to be informed about the incident
3. Regular control of the condition and markings of data carriers for data backups
4. Existence of an up-to-date antivirus program

‍

3.   Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

    I.  Data protection  management / Measures for  regular review, assessment and evaluation

1. Selection of a data protection officer
2. Determination of the testing rhythms
3. Control  of the implementation of the evaluation
4. Evaluation of the results
5. Adjustment  of the TOM if necessary

  II.  Incident response  management measures

1. Identification of possible cases of data breach
2. Description of the process what has to happen in case of a data breach
3. Description of responsibilities
4. Description of the technical procedure for eliminating a data breach

III.  Data  protection-friendly default settings measures (Art. 25 (2) DS-GVO)

1. Creation of a concept for data protection by technology ("privacy by  design")
2. Creation of a concept for data protection-friendly default settings ("privacy by  default")
3. Minimize the amount of data collected
4. Reduction of the scope of data processing
5. Reduction of storage periods
6. Making the accessibility of the data more difficult

IV.  Order control measures

1. Selection of the contractor under due diligence aspects (especially with regard to data  security)
2. Written instructions to the contractor (e.g. by order data processing contract)
3. Effective control rights vis-à-vis the  contractor agreed
4. Contractual penalties for violations
5. Prior review and documentation of the  security measures taken at the contractor's site.
6. Obligation of the contractor's  employees to maintain data secrecy
7. Ensuring the destruction of data after  the completion of the order
8. Ongoing  review of the contractor and its activities