according to Art 28 DSGVO
between
nexxar GmbH, Vienna
(hereinafter: Processor)
and their customers who use or purchase reportery.io services from the processor
(hereinafter: Controller)
PREAMBLE
This Agreement shall form an integral part of the contractual relationship between the Processor and the Controller (“main agreement”), shall take effect upon the conclusion of the Main Agreement and shall supersede all existing contracts for the processing of Data between the Parties.
1. SCOPE, DEFINITIONS
1.1. This contract regulates the rights and obligations of the controller and processor (hereinafter referred to as the "Parties") in the context of a processing of personal data.
1.2. This contract shall apply to all activities in which employees of the Processor or sub-processors engaged by the Processor process Personal Data of the Controller.
1.3. Terms used in this Agreement shall be understood in accordance with their definition in the EU General Data Protection Regulation (Regulation [EU] 2016/679 - GDPR).
2. SUBJECT MATTER AND DURATION OF THE PROCESSING
2.1. Tasks
The subject matter of this Agreement is the performance of the following tasks by the Processor:
- Provide a platform (reportery.io) to create engaging digital financial and/or sustainability reports as interactive summary pages and share them with a public audience.
2.2. Processing object
The agreement concerns the processing of the following categories of personal data by the processor:
- - Business data
- - Financial data
- - Personal data
The following categories of persons are affected by the data processing:
- - Company management
- - Employees
- - Shareholders
- - Stakeholders
2.3. Purpose of processing
Personal data shall be processed by the processor for the following purposes:
- Publication of a financial and/or sustainability report including financial and non-financial data
2.4. Place of processing
The processor shall carry out the processing of personal data in general within the EU/EEA. Where this is not possible, data will be exported in accordance with Art 44 et seq GDPR.
2.5. Duration
Unless expressly agreed otherwise, the term of this contract is based on the term of the main agreement.
3. OBLIGATIONS OF THE PROCESSOR
3.1. The Processor confirms that it is aware of the relevant data protection regulations. It shall observe the principles of proper data processing.
3.2. The Processor undertakes to process personal data exclusively on the basis of instructions from the controller and the present contract and to comply with all data protection regulations.
3.3. If the Processor deems an instruction of the Controller to be unlawful, it shall immediately inform the Controller thereof in writing.
3.4. The Processor shall implement all appropriate technical and organisational measures provided for in Article 32 of the GDPR for the purpose of data processing security.
3.5. The Processor shall assist the Controller in responding to requests from data subjects for the protection of their rights. If such a request is addressed to the Processor, the Processor shall immediately forward it to the Controller.
3.6. The Processor shall support the Controller in the performance of the obligations incumbent upon it pursuant to Articles 32 to 36 of the GDPR, which includes in particular, but not exclusively, the setting of security measures, the notification of data protection breaches and the preparation of a data protection impact assessment.
3.7. Upon termination of the processing and at the request of the controller, the processor shall delete the personal data in its possession. If the controller so requests, the personal data shall be returned to him.
3.8. The Processor undertakes to inform the Controller of all details required to prove compliance with the obligations pursuant to Article 28 of the GDPR. In addition, the processor undertakes to support the controller in the audits to be carried out by him and to grant him access at any time.
3.9. The processor shall keep a written or electronic register of all categories of processing activities carried out on behalf of the controller pursuant to Article 30(2) of the GDPR.
3.10. The Processor undertakes to appoint a competent and reliable person as Data Protection Officer if the conditions pursuant to Article 37 of the GDPR are met.
3.11. The processor is obliged to treat as confidential the personal data and information disclosed to him or transmitted or otherwise made available to him. The knowledge of the processing results obtained shall also be covered by this duty of confidentiality.
3.12. The processor shall impose a confidentiality obligation on all persons attributable to it who are involved in the processing of personal data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality or secrecy shall continue to apply after the termination of the activity for the Processor.
3.13. The Processor shall oblige all persons entrusted with the processing of personal data to transmit such data only on the basis of instructions, unless such an obligation already exists by operation of law. In addition, the processor shall inform its employees of the transfer orders applicable to them and of the consequences of a breach of data secrecy.
3.14. The Processor shall process Personal Data only as contractually agreed or as instructed by the Controller, unless the Processor is required by law to carry out a specific processing operation. Furthermore, the processor shall not use the personal data provided for processing for any other purposes, in particular for its own purposes.
3.15. The Processor shall make available to the Controller, if required, all necessary information, in particular protocols drawn up, to prove compliance with its obligations.
3.16. If the controller is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the processor undertakes to assist the controller to the extent necessary insofar as the processing on behalf is concerned.
3.17. The processor shall only provide information to third parties or the data subject with the prior consent of the controller, unless he is under a legal or statutory obligation to do so. Requests addressed directly to him/her shall be forwarded to the controller without delay.
3.18. The Controller shall be entitled, after giving at least 7 days' notice and to the extent of the processing activities on which this Agreement is based, to monitor the Processor's compliance with the provisions on data protection and the contractual agreements, to a reasonable extent, itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing applications as well as other on-site checks during the Processor's business hours. The person(s) executing the audit shall be given access and information by the Processor as far as necessary. The Processor shall be obliged to provide the necessary information, demonstrate processes and provide evidence required to carry out a control.
4. DUTIES OF THE CONTROLLER
4.1. The Controller shall be responsible for the lawful collection and processing of the data concerned as well as the lawful transfer to the processor and shall fully indemnify and hold the processor harmless in this respect.
5. TECHNICAL AND ORGANISATIONAL MEASURES
5.1. The data security measures described in Annex 1 are set out as mandatory. They define the minimum owed by the Processor.
5.2. The processor shall implement appropriate technical and organisational measures to ensure an adequate level of data protection.
5.3. The controller shall be informed of the measures taken in each case prior to the start of the processor's processing activity.
5.4. The processor shall be obliged to check at regular intervals whether an adequate level of data protection is ensured by appropriate technical and organisational measures taken by the processor.
5.5. The processor is obliged to support the controller in establishing appropriate technical and organisational measures.
5.6. The data security measures may be adapted in accordance with the technical and organisational further development as long as the level agreed here is not undercut. The Processor shall implement any changes required to maintain information security without delay. Changes shall be communicated to the Controller without delay. Significant changes shall be agreed between the parties.
5.7. Insofar as the security measures taken do not or no longer meet the requirements notified by the controller, the processor shall notify the controller without delay.
5.8. Copies or duplicates are not made without the knowledge of the data controller. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded.
5.9. Data carriers originating from or used for the Controller shall be specially marked and shall be subject to ongoing administration. They shall be stored appropriately at all times and shall not be accessible to unauthorised persons. Entries and exits shall be documented.
6. RULES ON THE CORRECTION, DELETION AND BLOCKING OF DATA
6.1. The processor shall only correct, delete or block data processed within the scope of the order in accordance with the agreement reached or in accordance with the instructions of the controller.
6.2. The Processor shall comply with the relevant instructions of the Controller at all times and also beyond the termination of this Agreement.
7. SUB-PROCESSOR
7.1. If the Processor intends to use another sub-processor, the Processor shall notify the Controller in writing. The notification shall be made in good time in advance so that the controller can exercise the possibility of objecting to the intended change.
7.2. The sub-processor shall act exclusively on the basis of the contract to be concluded between it and the processor pursuant to Article 28 (4) of the GDPR.
7.3. The Processor shall be liable to the Controller in the event that the Sub-Processor fails to comply with its data protection obligations.
7.4. Sub-processors shall be contractually bound to at least data protection obligations equivalent to those agreed in this contract. The Controller shall be given access to the relevant contracts between Processor and Sub-Processor upon request.
7.5. The responsibilities of the processor and the sub-processor shall be clearly demarcated.
7.6. The Processor shall carefully select the Sub-Processor with particular regard to the suitability of the technical and organisational measures taken by the Sub-Processor.
7.7. The onward transfer of data processed under the agreement to the sub-processor shall only be permitted after the processor has satisfied itself in a documented manner that the sub-processor has fully complied with its obligations. The Processor shall provide the documentation to the Controller upon request.
7.8. At present, the sub-processors specified in Annex 2 with their name, address and contract content are entrusted with the processing of personal data to the extent specified therein and are approved by the controller. The other obligations of the Processor towards sub-processors set forth herein shall remain unaffected.
7.9. Sub-processor relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The obligation of the Processor to ensure compliance with data protection and data security in these cases shall remain unaffected.
8. NOTIFICATION REQUIREMENTS
8.1. The Processor shall notify the Controller of personal data breaches without undue delay. Reasonable suspicions shall also be notified. The notification shall contain at least the information pursuant to Art. 33 (3) of the GDPR.
8.2. Significant disruptions in the execution of the order as well as violations of data protection provisions or the stipulations made in this contract by the Processor or the persons employed by the Processor shall also be notified without delay.
8.3. The Processor shall inform the Controller without undue delay of inspections or measures taken by supervisory authorities or other third parties, insofar as they relate to the processing.
8.4. The Processor warrants to support the Controller in its obligations under Articles 33 and 34 of the GDPR to the extent necessary.
9. INSTRUCTIONS
9.1. The controller has a comprehensive right of instruction with regard to processing on behalf.
9.2. The Controller and processor shall designate the persons exclusively authorised to issue and accept instructions.
9.3. In the event of a change or long-term prevention of the appointed persons, the other party shall be informed immediately of their successors or representatives.
9.4. The Processor shall immediately draw the attention of the Controller to any instruction given by the Controller which, in the Processor's opinion, is in breach of the law. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
9.5. The Processor shall document instructions given to it and their implementation.
10. TERMINATION OF THE CONTRACT
10.1. Upon termination of the contractual relationship or at any time at the request of the data controller, the data processor shall, at the choice of the data controller, either destroy the data processed on behalf of the data controller or hand it over to the data controller and then destroy it. All existing copies of the data shall also be destroyed. The destruction shall be carried out in such a way that a recovery of even residual information is no longer possible with reasonable effort.
10.2. The Processor shall be obliged to effect the immediate return or deletion also in the case of sub-Processors.
10.3. The processor shall keep proof of proper destruction and present it to the Controller upon request.
10.4. Documentation which serves as proof of proper data processing shall be kept by the processor in accordance with the respective retention periods even beyond the end of the contract. The Processor may hand them over to the Controller at the end of the contract in order to relieve the controller.
11. REMUNERATION
11.1. The Processor shall have the right to charge separately for services in connection with this Agreement at the applicable hourly rate.
12. CONFIDENTIALITY
12.1. Both parties are obliged to treat all knowledge of business secrets and data security measures of the other party obtained within the framework of the contractual relationship as confidential even after the termination of the contract. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until it has been released in writing by the other party.
13. OTHER
13.1. In the event that property of the Processor held by the Controller is endangered by measures of third parties (such as attachment or seizure), by insolvency or composition proceedings or by other events, the Processor shall notify the Controller without undue delay.
13.2. The written form is required for ancillary agreements. This also applies to the waiver of the written form.
13.3. Should individual parts of this agreement be invalid, this shall not affect the validity of the rest of the agreement.
13.4. This contract shall be governed by Austrian law to the exclusion of its non-mandatory rules of reference. The provisions of the UN Convention on Contracts for the International Sale of Goods shall not apply.
13.5. The exclusive place of jurisdiction for all disputes arising directly or indirectly from or in connection with this contract - including its existence or non-existence - is agreed to be the court with subject-matter jurisdiction at the registered office of the Processor.
ANNEX 1 - TECHNICAL AND ORGANISATIONAL MEASURES
The Processor shall in particular implement the following technical and organisational measures:
- - Information and IT systems should be available in such a way that processes dependent on them can be operated without significant impairment and can be resumed at short notice if necessary;
- - The freedom from interference of IT systems and the integrity of data shall be ensured at all times as far as possible;
- - Confidential information must always be protected from unauthorised access;
- - Control access to data processing facilities, e.g. through regulated key management, security doors or security personnel;
- - Control of access to data processing systems, e.g. through passwords, automatic blocking mechanisms, two-factor authentication, encryption of data carriers, Virtual Private Network (VPN) or logging of user logins;
- - Control of access to data within the system e.g. through standard authorisation profiles on a "need to know basis", network segmentation, partial access authorisations or logging of accesses;
- - Pseudonymisation of personal data;
- - Classification of data as confidential, internal or public;
- - Protective measures to prevent the destruction or loss of personal data, e.g. through safekeeping in safes or security cabinets, storage networks, software and hardware protection;
- - Protection against unauthorised reading, copying, modification or removal during data transmission, e.g. through encryption, virtual private networks (VPN), ISDN wall, content filter for incoming and outgoing data or electronic signature as well as lockable transport containers;
- - Checking whether and by whom personal data have been entered, changed or deleted in data processing systems, e.g. by logging, using electronic signatures, regulating access authorisations;
- - Separation of data processing for different purposes, e.g. through the use of separate databases, client separation, separation of client servers;
- - Employees are regularly trained and sensitised on data protection and data security issues.
ANNEX 2 - APPROVED SUB-PROCESSORS
Hosting:
Vercel Inc.
340 S Lemon Ave #4133
Walnut, CA 91789
Vercel Privacy Policy: https://vercel.com/legal/privacy-policy
Vercel DPA:
https://vercel.com/legal/Vercel_Inc_-_Data_Processing_Addendum.pdf