This contract governs the data protection obligations of the contractor PaperSpace GmbH, Am Bartelskamp 16, D-38553 Wasbüttel, represented by the authorized managing director Martin Stämmler, towards the respective client.
The subject and duration of the assignment, the type and purpose of the processing, the type of data and the categories of affected parties are derived from the order and the general terms and conditions for using PaperSpace (hereinafter referred to as the "main contract") between the parties. The contract ends with the termination of the main contract and the fulfillment of the obligations according to clause 10. If no agreement has been reached in the main contract regarding the aforementioned regulation, Attachment 2 to this contract applies.
The contractor complies with the agreed technical and organizational measures according to Art. 5 para. 1 and Art. 32 DS-GVO within his area of responsibility and has designed his internal organization in accordance with data protection requirements. This includes the technical and organizational measures outlined in Attachment 1.
The contractor regularly checks the internal processes as well as the technical and organizational measures to ensure that the processing in his area of responsibility is in line with the requirements of the applicable data protection law and that the protection of the rights of the affected person is guaranteed.
The contractor is only allowed to correct, delete, or restrict the data processed on behalf of the client upon instruction. If an affected party should directly approach the contractor for correction or deletion of his data or for restriction of processing, the contractor will immediately forward this request to the client.
The contractor will support the client in the event of asserting statutory rights of the affected parties; this particularly includes support in responding to requests to exercise the rights of the affected parties using appropriate technical-organizational measures.
The contractor ensures compliance with the following obligations:
The client agrees that the contractor may grant subcontracts to affiliated and non-affiliated external companies for the fulfillment of his contractual services. When granting a subcontract, the contractual agreements between the contractor and the subcontractor are designed to meet the requirements for data protection and data security between the contract parties of this agreement.
The client can object to a subcontract if there's proven legitimate interest or if there's a different arrangement in the main contract. Upon the client's written request, the contractor will provide information on the main contract content (services excluding prices) and the implementation of the data protection-relevant obligations of the subcontractor.
The contractor will always inform the client about any intended change regarding the addition of new or the replacement of previous subcontractors, giving the client the opportunity to object to such changes.
The contractor's processing of data is geographically limited to the EU and the EEA. The transfer of data by the contractor to a recipient located outside the EEA is only permitted under the conditions of Art. 44 ff. GDPR and requires the separate prior written consent of the client.
The client may, upon timely written notification and with a notice period of at least four bank working days, inspect the operational premises during regular business hours, i.e., between 09:00 and 18:00, without disrupting the operational processes, to verify the adequacy of the measures in compliance with the technical and organizational requirements of the relevant data protection laws. The contractor is obligated to allow the client's inspections as per this contract, provide necessary support, as required for the client's inspection under this contract, and provide the client with information upon written request within a reasonable period, which is necessary for the conduct of a comprehensive contract audit. In particular, the contractor allows the client to verify the adherence to the technical and organizational measures implemented by the contractor, both before the onset of data processing and regularly thereafter.
The contractor shall promptly notify the client immediately upon becoming aware of any violations by him, his employees, or subcontractors against regulations protecting the client's data (especially the GDPR) or against the stipulations set in this agreement, or if there's a suspicion of such violations. The contractor will document such incidents, promptly investigate, and take corrective action.
He will keep the client informed about the progress of the matter until the incident is resolved. If the breach poses a risk to the rights and freedoms of the affected individuals as per Art. 33 of the GDPR, the contractor will fully support the client in investigating the incident and in the corresponding notification to the data protection supervisory authority or the affected individuals.
The handling of the data is exclusively within the framework of the agreements made and as instructed by the client. The client reserves, within the scope of the task description made in this agreement, a comprehensive right to instruct on the nature, extent, and method of data processing, which he can specify with individual instructions. The provisions of the main contract are solely decisive for the actual scope of the instruction authority, which is limited to the functionalities regulated there. Changes to the object of processing and changes in procedure must be agreed upon and documented together. Changes to the contract subject and changes in procedure are to be coordinated between the parties.
The contractor may only provide information to third parties or the affected person with the prior written consent of the client. The client will promptly confirm oral instructions in writing or by e-mail (in text form).
The contractor does not use the data for any other purposes and is in particular not entitled to pass it on to third parties. Copies and duplicates are not created without the knowledge of the client. Excluded from this are backup copies, as far as they are necessary to ensure proper data processing, as well as data required in view of compliance with legal storage obligations. The contractor must inform the client immediately if he believes an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the person responsible at the client. The contractor will document the instructions as necessary.
Subject to different agreements and legal or statutory obligations, the contractor is obliged after the end of the contract to immediately return data carriers handed over to him to the client and to delete personal data related to the order that has not yet been deleted. If the contractor does not return documents or data carriers with personal data to be destroyed to the client, the contractor is obliged to dispose of the documents properly so that unauthorized third parties cannot gain knowledge of the data.
Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the contractor must implement suitable technical and organizational measures to ensure an appropriate level of protection.
These measures may include, among other things, the pseudonymization and encryption of personal data, as far as such means are possible in light of the purposes of processing.
The measures are intended to ensure
After a risk assessment, the data processor must take measures that aim to:
Denying access to processing facilities with which the processing is conducted, to unauthorized persons. Appropriate measures include:
Prevention of unauthorized reading, copying, modifying, or deleting of data carriers. Appropriate measures include:
Prevention of unauthorized input of personal data and unauthorized access, modification, and deletion of stored personal data.
Prevention of the use of automated processing systems with the help of facilities for data transmission by unauthorized persons.
Ensuring that those entitled to use an automated processing system only have access to the personal data covered by their access authorization. Appropriate measures include:
Ensuring that it can be checked and determined to which locations personal data has been or can be transmitted or made available using data transmission facilities.
Ensuring that it can be subsequently verified and determined which personal data was entered or changed in automated processing systems at what time and by whom. Appropriate measures include:
Ensuring that deployed systems can be restored in case of a malfunction.
Ensuring that all functions of the system are available and any malfunctions that occur are reported.
Ensuring that stored personal data cannot be damaged by malfunctions of the system.
Ensuring that personal data is protected against destruction or loss. Appropriate measures include:
Ensuring that personal data collected for different purposes can be processed separately. Appropriate measures include:
Regular assessment and adaptation of technical and organizational measures to ensure IT integrity.
The PaperSpace App allows for easy scanning and uploading of documents, categorizes them automatically, and extracts calendar entries for upcoming appointments and deadlines. Additionally, users can share documents and ask questions about their documents via an integrated chatbot. For micro-businesses, we also offer a white-label version that's designed as a no-code solution specifically for simple document requirements.
1. Personal Data:
2. Document Information:
3. When using the scanning feature:
4. Metadata for the document (automatically extracted or created by the user):
5. Communication data:
6. Server log data:
Customers and users of the contractor's services.