Data processing agreement

1. Introduction, scope, definitions

1. This contract is established between the customer of DigitX BV (Floynk), referred to as "client," and DigitX BV (Floynk), referred to as "contractor." It supplements existing contracts between the contractor and client when the client processes personal data on the contractor's platform. It precedes the principal contract of the contractor in its area of application.
2. This contract outlines the rights and obligations of both the client and the contractor, collectively referred to as the parties.
3. This contract applies to all activities involving the contractor's employees or subcontractors processing the client's personal data.
4. Terms used in this agreement follow the definitions in the EU General Data Protection Regulation. Written declarations are as specified by § 126 BGB. Other forms of declaration may be used if adequate verifiability is guaranteed.

2. Data Processing: Subject and Duration

1. The contractor offers Product Information Management and Order Management services, allowing the client to process data: save, modify, transmit, and delete.
2. Processing starts when the client uses the services and continues indefinitely until the contract's termination by either party, followed by the final deletion of personal data.

3. Data Processing Purpose

1. The client processes data for their own purposes and isn't obligated to disclose the purpose to the contractor.
2. The client is solely responsible for the type and structure of the data, while the contractor has no influence on the data type and the affected individuals.

4. Contractor Obligations

1. The contractor processes personal data strictly according to the contract or client's instructions unless legally obligated otherwise. The contractor informs the client of any legal obligations before processing unless prohibited by law. The contractor will not use the data for any other purposes.
2. The contractor acknowledges relevant data protection regulations and abides by proper data processing principles.
3. The contractor commits to maintaining strict confidentiality during processing.
4. Employees with access to data processing must commit to confidentiality in writing unless already bound by a legal secrecy obligation.
5. The contractor guarantees that employees involved in processing are familiar with data protection provisions and this contract before processing starts. Regular training and awareness measures are implemented. The contractor ensures adequate instruction and monitoring regarding data protection requirements.
6. If the client is subject to inspection by supervisory authorities, the contractor commits to providing necessary support concerning the contract's processing.
7. The contractor can only provide information to third parties or data subjects with the client's prior consent and will forward inquiries to the client.
8. The contractor appoints a reliable and competent data protection officer, ensuring no conflicts of interest. The client can contact the officer directly in case of doubt. Changes in the officer's role must be communicated to the client promptly.
9. Order processing occurs within the EU or EEA and on DigitalOcean's data processing equipment, partly in the USA. Transfers to third countries only occur with client agreement and under conditions specified in the General Data Protection Regulation, Chapter V, and this contract's provisions. Consent for using DigitalOcean Cloud is given upon contract conclusion.
10. The contractor may use anonymized information for monitoring internal metrics.

5. Technical and Organizational Measures

1. The security measures described at Security measures are binding.
2. They define the minimum requirement for the contractor. The measures' description must be sufficiently detailed for a knowledgeable third party to understand the required minimum solely based on the description.
3. References to information not directly obtainable from this agreement or its annexes are not permitted.
4. Security measures may be adapted to technical and organizational development as long as the agreed level is maintained.
5. The contractor must promptly implement necessary changes to maintain information security.
6. Changes must be communicated to the client immediately.
7. Significant changes must be agreed upon by both parties.
8. If the implemented security measures do not meet or no longer meet the client's requirements, the contractor must inform the client immediately.
9. The contractor guarantees strict separation of data processed under this contract from other data.
10. Copies or duplicates are not created without the client's knowledge, except for technically necessary temporary reproductions, as long as they don't impair the agreed-upon data protection level.
11. The contractor will regularly provide proof of fulfilling its obligations on the website Security measures, particularly regarding the full implementation of agreed-upon technical and organizational measures.

6. Rules for Data Correction, Deletion, and Blocking

1. The contractor will only correct, delete, or block data processed under this contract according to the agreement or client's instructions.
2. If the client continually breaches contractual obligations, the contractor can delete the client's account and all associated data, after informing the client.
3. The contractor will follow the client's instructions during and after the termination of this contract.

7. Subcontracting

1. The contractor uses the subcontractor DigitalOcean.
2. Further subcontractors are allowed but require written notice to the client who can reject them.
3. Subcontractors must follow data protection obligations comparable to this contract. The client may access relevant contracts between the contractor and subcontractor.
4. The client's rights must be enforceable against subcontractors, including inspections.
5. The contractor and subcontractor responsibilities must be clearly distinguished.
6. Subcontractor subcontracting is permitted, and paragraphs 2-5 apply accordingly.
7. The contractor must carefully select subcontractors based on their technical and organizational measures.
8. Data transfer to subcontractors is allowed only if the contractor documents the subcontractor's complete fulfillment of obligations. The client can inspect the documentation.
9. Non-EU/EEA subcontractors must meet specific data protection requirements.
10. The contractor must provide information about the subcontractor's data protection guarantees upon request.
11. Subcontractors listed on the Transparency Page at the contract's signing agree to the contractor's terms.
12. The contractor may employ or replace subcontractors.
13. The contractor publishes subcontractor changes on the Transparency Page.
14. The client may terminate the contract if they disagree with a new subcontractor.
15. Only services directly connected to the main service are considered subcontracting.
16. Additional services like transport and maintenance are excluded.
17. The contractor must ensure data protection and security compliance in such cases.

8. Client's Rights and Obligations

1. The client is responsible for the contract's legality and protecting the rights of those concerned.
2. The client must document all contracts, partial contracts, or instructions. Urgent instructions may be given orally and must be confirmed by the contractor.
3. The client can verify the contractor's compliance with data protection provisions and agreements through obtaining information and conducting on-site inspections.
4. The contractor must allow the client access and insight when necessary.
5. The contractor must provide necessary information, demonstrate procedures, and provide evidence for inspections.
6. Inspections must not disrupt the contractor's business operations.
7. Inspections should occur with advance notice, during business hours, and not more than once every 12 months, unless urgent reasons are documented by the client.
8. If the contractor provides evidence of compliance with data protection obligations, inspections will be limited to random samples.

9. Notification Requirements

1. The contractor must inform the client of personal data breaches within 24 hours, including any suspected breaches.
2. Notifications must include the data protection officer's contact information, descriptions of the breach's consequences, and measures taken or proposed by the contractor.
3. The contractor must immediately notify the client of significant issues in contract execution or breaches of data protection regulations.
4. The contractor must inform the client about inspections or actions taken by supervisory authorities or third parties related to the contract.
5. The contractor agrees to support the client in fulfilling their obligations under Articles 33 and 34 of the GDPR.

10. Instructions

1. The client has full access to data, making the contractor's cooperation unnecessary for data correction, blocking, or deletion.
2. If the contractor's cooperation is required, they must cover the reasonable costs. The client has the right to issue instructions regarding data processing according to Art. 29 and 28 GDPR.
3. The contractor must inform the client if they believe an instruction violates data protection regulations and may suspend the execution until the instruction is confirmed or changed by the client.
4. Authorized instruction issuers include employees of the client's company registered with a Floynk account. Employees must legitimize themselves with each directive.
5. All contractor employees are trained and authorized to receive instructions.

11. Contract Termination

1. Data will be destroyed upon contract termination.
2. Any existing data copies will also be destroyed after the retention period. Destruction must ensure no residual information can be recovered.
3. The contractor must ensure immediate data return or deletion from subcontractors.

12. Liability

1. The contractor is liable for their own fault.
2. Liability for slightly negligent breaches is excluded, except for damages involving life, health, guarantees, or product liability law claims.
3. Liability for breaches of cardinal obligations remains unaffected.
4. The limitation of liability applies to all legal grounds and extends to the contractor's employees and vicarious agents.
5. Compensation obligations are excluded if damages result from the correct implementation of contracted services or client instructions.

13. Special Termination Rights

1. The client may terminate the contract without notice if the contractor seriously breaches data protection regulations, refuses to follow client instructions, or denies client inspection rights.
2. A serious breach occurs if the contractor does not fulfill their obligations, including the agreed-upon technical and organizational measures.
3. For minor infringements, the client sets a deadline for the contractor to remedy the situation. If not resolved, the client can terminate the contract as described in this section.

14. Miscellaneous

1. Both parties must treat each other's business secrets and data security measures confidentially, even after contract termination.
2. Information must be treated as confidential until written approval from the other party is obtained.
3. If the client's property is endangered by third-party actions or other events, the client must inform the contractor.
4. Side agreements require written form.
5. The plea of retention under § 273 BGB is excluded regarding data processed under the contract and related data carriers.
6. If any parts of this agreement are invalid, the agreement's validity remains unaffected.