Data Processing Agreement

Preamble

This contract governs the data protection obligations of the contractor PaperSpace GmbH, Am Bartelskamp 16, D-38553 Wasbüttel, represented by the authorized managing director Martin Stämmler, towards the respective client.

1. Subject, Duration of the Assignment, Type and Purpose of Processing, Type of Data, Categories of Affected Parties

The subject and duration of the assignment, the type and purpose of the processing, the type of data and the categories of affected parties are derived from the order and the general terms and conditions for using PaperSpace (hereinafter referred to as the "main contract") between the parties. The contract ends with the termination of the main contract and the fulfillment of the obligations according to clause 10. If no agreement has been reached in the main contract regarding the aforementioned regulation, Attachment 2 to this contract applies.

2. Security of Processing

The contractor complies with the agreed technical and organizational measures according to Art. 5 para. 1 and Art. 32 DS-GVO within his area of responsibility and has designed his internal organization in accordance with data protection requirements. This includes the technical and organizational measures outlined in Attachment 1.

The contractor regularly checks the internal processes as well as the technical and organizational measures to ensure that the processing in his area of responsibility is in line with the requirements of the applicable data protection law and that the protection of the rights of the affected person is guaranteed.

3. Correction, Deletion, and Restriction of Data

The contractor is only allowed to correct, delete, or restrict the data processed on behalf of the client upon instruction. If an affected party should directly approach the contractor for correction or deletion of his data or for restriction of processing, the contractor will immediately forward this request to the client.

The contractor will support the client in the event of asserting statutory rights of the affected parties; this particularly includes support in responding to requests to exercise the rights of the affected parties using appropriate technical-organizational measures.

4. Duties of the Contractor

The contractor ensures compliance with the following obligations:

  1. Written appointment of a data protection officer, as legally required.
  2. All individuals who can access the client's personal data based on the assignment must be obligated in writing to maintain confidentiality and be informed about the special data protection obligations arising from this contract, as well as the existing directive or purpose binding. Upon request by the client, the contractor will present these obligation declarations. This is not necessary if there's a suitable legal duty of confidentiality for the concerned individuals.
  3. Permitting public inspections by the responsible data protection supervisory authorities to the same extent as the supervisory authorities may carry out checks with the client. Supporting the client during inspections and requests from supervisory authorities.
  4. Immediate notification to the client about control actions and measures by the supervisory authority. This also applies if a competent authority investigates the contractor in accordance with Art. 82 ff. GDPR.
  5. Appropriate support for the client in ensuring the security of processing pursuant to Art. 32 GDPR.
  6. Appropriate assistance to the client with data protection impact assessments according to Art. 35 GDPR and with the prior consultation of the competent data protection supervisory authorities according to Art. 36 GDPR.
  7. Appropriate assistance to the client in reporting breaches of personal data protection to the supervisory authority (Art. 33 GDPR) and in notifying individuals affected by breaches of personal data protection (Art. 34 GDPR).
  8. Submission of the information required under Art. 30 para. 2 GDPR.

5. Subcontracting

The client agrees that the contractor may grant subcontracts to affiliated and non-affiliated external companies for the fulfillment of his contractual services. When granting a subcontract, the contractual agreements between the contractor and the subcontractor are designed to meet the requirements for data protection and data security between the contract parties of this agreement.

The client can object to a subcontract if there's proven legitimate interest or if there's a different arrangement in the main contract. Upon the client's written request, the contractor will provide information on the main contract content (services excluding prices) and the implementation of the data protection-relevant obligations of the subcontractor.

The contractor will always inform the client about any intended change regarding the addition of new or the replacement of previous subcontractors, giving the client the opportunity to object to such changes.

6. Location of Processing

The contractor's processing of data is geographically limited to the EU and the EEA. The transfer of data by the contractor to a recipient located outside the EEA is only permitted under the conditions of Art. 44 ff. GDPR and requires the separate prior written consent of the client.

7. Client's Audit Rights

The client may, upon timely written notification and with a notice period of at least four bank working days, inspect the operational premises during regular business hours, i.e., between 09:00 and 18:00, without disrupting the operational processes, to verify the adequacy of the measures in compliance with the technical and organizational requirements of the relevant data protection laws. The contractor is obligated to allow the client's inspections as per this contract, provide necessary support, as required for the client's inspection under this contract, and provide the client with information upon written request within a reasonable period, which is necessary for the conduct of a comprehensive contract audit. In particular, the contractor allows the client to verify the adherence to the technical and organizational measures implemented by the contractor, both before the onset of data processing and regularly thereafter.

8. Notifications of Data Protection Breaches and Processing Errors

The contractor shall promptly notify the client immediately upon becoming aware of any violations by him, his employees, or subcontractors against regulations protecting the client's data (especially the GDPR) or against the stipulations set in this agreement, or if there's a suspicion of such violations. The contractor will document such incidents, promptly investigate, and take corrective action.

He will keep the client informed about the progress of the matter until the incident is resolved. If the breach poses a risk to the rights and freedoms of the affected individuals as per Art. 33 of the GDPR, the contractor will fully support the client in investigating the incident and in the corresponding notification to the data protection supervisory authority or the affected individuals.

9. Instruction Authority of the Client

The handling of the data is exclusively within the framework of the agreements made and as instructed by the client. The client reserves, within the scope of the task description made in this agreement, a comprehensive right to instruct on the nature, extent, and method of data processing, which he can specify with individual instructions. The provisions of the main contract are solely decisive for the actual scope of the instruction authority, which is limited to the functionalities regulated there. Changes to the object of processing and changes in procedure must be agreed upon and documented together. Changes to the contract subject and changes in procedure are to be coordinated between the parties.

The contractor may only provide information to third parties or the affected person with the prior written consent of the client. The client will promptly confirm oral instructions in writing or by e-mail (in text form).

The contractor does not use the data for any other purposes and is in particular not entitled to pass it on to third parties. Copies and duplicates are not created without the knowledge of the client. Excluded from this are backup copies, as far as they are necessary to ensure proper data processing, as well as data required in view of compliance with legal storage obligations. The contractor must inform the client immediately if he believes an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the person responsible at the client. The contractor will document the instructions as necessary.

10. Deletion after Contract Termination

Subject to different agreements and legal or statutory obligations, the contractor is obliged after the end of the contract to immediately return data carriers handed over to him to the client and to delete personal data related to the order that has not yet been deleted. If the contractor does not return documents or data carriers with personal data to be destroyed to the client, the contractor is obliged to dispose of the documents properly so that unauthorized third parties cannot gain knowledge of the data.

Attachment 1: Technical and Organizational Measures

1. Protective Measures and Risk Assessment

Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the contractor must implement suitable technical and organizational measures to ensure an appropriate level of protection.

2. Pseudonymization and Encryption

These measures may include, among other things, the pseudonymization and encryption of personal data, as far as such means are possible in light of the purposes of processing.

3. Objective of the Measures

The measures are intended to ensure

  1. the confidentiality, integrity, availability, and resilience of the systems and services related to processing are continuously maintained, and,
  2. that the availability of personal data and access to them can be quickly restored in the event of a physical or technical incident.

4. Risk Assessment and Measures

After a risk assessment, the data processor must take measures that aim to:

Access Control

Denying access to processing facilities with which the processing is conducted, to unauthorized persons. Appropriate measures include:

  • Access control system, central key management, magnetic card
  • Key/key distribution is centralized and organizationally clearly regulated
  • Clear assignment of permissions (access to building, office, server room)
  • Building protection ensured on weekends and at night
  • Guard/reception with video surveillance
  • Regulations for visitors (visitor badge, escort in the building)
  • Video surveillance of sensitive areas of the building (underground garage)
  • Locking cabinets and offices when absent

Data Carrier Control

Prevention of unauthorized reading, copying, modifying, or deleting of data carriers. Appropriate measures include:

  • Dedicated password procedure for login [e.g., Clear password regulations (specific length, combination of letters and numbers, no trivial passwords, change at regular intervals). Pre-set passwords must be changed immediately]
  • Automatic lockout (e.g., Regulation for automatic locking of the computer after a certain period of inactivity (approx. 5 min) followed by re-login)
  • Automatic standby mode of the local computers
  • Encryption of data carriers possible
  • Special caution when taking laptops/data carriers/smartphones out of the office rooms
  • Remote deletion capability for smartphones

Storage Control

Prevention of unauthorized input of personal data and unauthorized access, modification, and deletion of stored personal data.

User Control

Prevention of the use of automated processing systems with the help of facilities for data transmission by unauthorized persons.

Access Control

Ensuring that those entitled to use an automated processing system only have access to the personal data covered by their access authorization. Appropriate measures include:

  • Differentiated permissions (profiles, roles)
  • Differentiated folder concept (e.g. all files are to be named consistently and traceably and saved in such a way that they can be easily found).
  • Storage media must be clearly marked and stored securely.
  • Secure deletion of data and/or destruction of data carriers.
  • Orderliness at the workplace [storage media (USB sticks, CD-ROMs) with confidential material must not be left lying around openly].
  • Adjustment of security-relevant default settings of new programs and IT systems
  • Uninstallation or deactivation of unneeded security-relevant programs and functions (especially for smartphones)

Transfer Control

Ensuring that it can be checked and determined to which locations personal data has been or can be transmitted or made available using data transmission facilities.

Input Control

Ensuring that it can be subsequently verified and determined which personal data was entered or changed in automated processing systems at what time and by whom. Appropriate measures include:

  • Logging and log evaluation systems are used or applicable as parts of existing software applications
  • Access to data processing systems only possible after login
  • No sharing of passwords
  • In addition to automatic locking: manual logout when leaving the office

Transport Control

  • Ensuring that during the transmission of personal data and the transport of data carriers, the confidentiality and integrity of the data are protected. Appropriate measures include:
  • Encryption (especially laptops)
  • Tunnel connection (VPN = Virtual Private Network)
  • Electronic signature possible
  • No use of unauthorized hardware/software
  • No forwarding of emails to private email accounts of employees
  • Caution when handling backup tapes
  • Guidelines for employees regarding printing of confidential documents (ensuring no other person has access to the printouts).
  • Regulations regarding the use of USB drives and CD-ROMs

Recoverability

Ensuring that deployed systems can be restored in case of a malfunction.

Reliability

Ensuring that all functions of the system are available and any malfunctions that occur are reported.

Data Integrity

Ensuring that stored personal data cannot be damaged by malfunctions of the system.

Order Control

  • Ensuring that personal data processed on order can only be processed in accordance with the instructions of the client. Appropriate measures include:
  • Clear contract design/standard contract according to Art. 28 GDPR available
  • Formalized order placement (order form)
  • Criteria for the selection of the contractor are strictly adhered to
  • Contract execution is ensured by the DPO (Data Protection Officer)

Availability Control

Ensuring that personal data is protected against destruction or loss. Appropriate measures include:

  • Regular backup procedure is ensured (Definition: Which data is stored for how long?; Inclusion of laptops and non-networked systems; Regular checks of backup tapes; Documentation of backup processes)
  • Separate storage of data is guaranteed
  • Antivirus/Firewall up to current technical standards is ensured
  • Protection against fire, overheating, water damage, voltage surges, and power outages in the server room
  • Emergency plan is in place and practiced regularly
  • Emergency power supply/Uninterruptible Power Supply (UPS)
  • Special caution when taking laptop/data carriers out of the office premises
  • Delegation arrangements, especially regarding the administrator

Separability

Ensuring that personal data collected for different purposes can be processed separately. Appropriate measures include:

  • Physically and/or logically separated storage, modification, deletion, and transmission of data serving different purposes (multi-tenancy)
  • Separation of functions, especially between production and test data

Review and Training on IT Security

Regular assessment and adaptation of technical and organizational measures to ensure IT integrity.

  • Regular professional training for IT managers and the company's data protection officer
  • Training employees in IT handling and enhancing IT security awareness
  • Security notes are made available to all employees in an appropriate form and can be accessed at any time (e.g. by publishing on the intranet)
  • Evaluation of reports and messages about unusual incidents
  • Investigation of detected or suspected breaches of security-relevant specifications
  • Regular review of the effectiveness of existing technical and organizational measures and examination of the need for new technical and organizational measures (both involving the data protection officer)
  • Regular and event-related control of IT functionality, including from the perspective of access control
  • Escalation and reporting paths for security-relevant incidents
  • Availability of IT managers and the company's data protection officer as contacts for all questions on IT use and security.

Attachment 2: Data Protection Specifications

Scope, Nature, and Purpose of the Planned Collection

The PaperSpace App allows for easy scanning and uploading of documents, categorizes them automatically, and extracts calendar entries for upcoming appointments and deadlines. Additionally, users can share documents and ask questions about their documents via an integrated chatbot. For micro-businesses, we also offer a white-label version that's designed as a no-code solution specifically for simple document requirements.

Type of Data

1. Personal Data:

  • First name, Last name
  • Email Address

2. Document Information:

  • Uploaded PDF files
  • Scanned PDF files

3. When using the scanning feature:

  • Automatic image processing that trims and filters photos of document pages
  • Creation of images of document pages in various resolutions
  • Capturing the document text using OCR (Optical Character Recognition)

4. Metadata for the document (automatically extracted or created by the user):

  • Document type
  • Tags / Labels
  • Creation date
  • Payment information (e.g., for an uploaded invoice)
  • Calendar information (e.g., for an uploaded invitation)
  • Sender and recipient of a letter (name and address, if included in the document)

5. Communication data:

  • Comments / chat messages about documents written by users
  • Automatically generated chatbot responses

6. Server log data:

  • IP address
  • Date and time
  • URL
  • Device type (Desktop/Mobile)
  • Browser type
  • Language settings

Affected Parties

Customers and users of the contractor's services.