between the Controller
and
BauCloud GmbH, Jörg-Hube-Str. 99, 81927 Munich, Germany
– hereinafter referred to as "Processor" –
Preamble
This Agreement specifies the data protection rights and obligations of the contracting parties in connection with the contract concluded between them for the use of the software "Reporting API App" (hereinafter "Reporting API App Service Agreement"). It applies to all activities in which the Processor or sub-processors engaged by the Processor process personal data (hereinafter "Data") on behalf of and in accordance with the instructions of the Controller.
§ 1 Subject Matter, Duration, Nature and Purpose of Processing
1)
The subject matter of the contract is the provision of the SaaS services specified in the Reporting API App Service Agreement. The detailed description of the subject matter of processing, the nature and purpose of processing, the types of personal data, and the categories of data subjects is set out in Annex 1 to this Agreement.
2)
The duration of this Agreement (term) is determined by the term of the Reporting API App Service Agreement. The right to extraordinary termination for good cause remains unaffected.
3)
The processing of Data by the Processor shall generally take place in a Member State of the European Union (EU) or in another Contracting State of the Agreement on the European Economic Area (EEA).
4)
The Processor is entitled to engage sub-processors in third countries, provided that the legal requirements pursuant to Art. 44 et seq. GDPR for data transfers are ensured. The sub-processors engaged and their locations can be found in the online list maintained pursuant to § 5 of this Agreement.
§ 2 Obligations of the Processor
1)
The Processor shall process personal data exclusively within the scope of the agreements made and in accordance with documented instructions from the Controller (cf. § 3), unless the Processor is required to process by Union or Member State law to which the Processor is subject.
2)
The Processor shall organize its internal operations in such a way as to meet the specific requirements of data protection. The Processor shall implement all technical and organizational measures required pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk for the Controller's Data. The current technical and organizational measures can be viewed at Technical and Organizational Measures (TOM) and are considered an integral part of this Agreement. The Processor reserves the right to adapt the TOMs to technical progress and further development, but shall ensure that the contractually agreed level of protection is never reduced. Material changes shall be documented to the Controller.
3)
The Processor reserves the right to modify the security measures implemented, while ensuring that the contractually agreed level of protection is not reduced. Material changes shall be documented to the Controller.
4)
The Processor shall ensure that persons authorized to process the Controller's Data have committed themselves to confidentiality pursuant to Art. 28(3)(b), Art. 29 and Art. 32 GDPR and have been instructed in the data protection provisions relevant to them.
5)
The Processor shall designate a contact person to the Controller for all data protection matters arising under this Agreement.
6)
The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller pursuant to Art. 30(2) GDPR.
§ 3 Controller's Right to Issue Instructions
1)
The Processor may only process Data in accordance with instructions from the Controller. The Controller's instructions are issued in particular through the use of the software "Reporting API App" provided under the Reporting API App Service Agreement and its functionalities by the Controller or users authorized by the Controller (e.g., by creating, modifying, or deleting configurations and notification targets). This self-service use constitutes the primary documented instruction.
2)
Instructions are initially established by the Reporting API App Service Agreement and this Agreement and may subsequently be amended, supplemented, or replaced by the Controller in text form (e.g., by email) to the contact point designated by the Processor through individual instructions.
3)
The Processor shall immediately inform the Controller if the Processor is of the opinion that an instruction violates the GDPR or other applicable data protection provisions. The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller after review.
§ 4 Support Obligations for the Controller
1)
The Processor shall assist the Controller, where possible, with appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR (Art. 12-22).
2)
The Processor shall assist the Controller, taking into account the nature of processing and the information available to the Processor, in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR (security of processing, notification of personal data breaches to the supervisory authority, communication to the data subject, data protection impact assessment, prior consultation).
3)
The Processor shall notify the Controller without undue delay after becoming aware of any personal data breach affecting the Data it processes.
§ 5 Sub-processing
1)
The Controller hereby grants the Processor general written authorization to engage further processors (sub-processors) within the meaning of Art. 28(2) GDPR.
2)
A current list of sub-processors engaged by the Processor and generally approved by the Controller is made available online by the Processor at Sub-processors. The list published at this URL at the time of contract conclusion is deemed approved.
3)
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors by updating the online list and providing notification in text form (e.g., by email). The Controller may object to such changes within a period of 14 days after receipt of the notification for important data protection reasons. If no objection is raised within this period, the change is deemed approved. In the event of a justified objection, either party is entitled to terminate the Reporting API App Service Agreement and this Agreement with 30 days' notice.
4)
The Processor shall conclude a contract with the sub-processor that meets the requirements of Art. 28 GDPR and imposes on the sub-processor the same data protection obligations as set out in this Agreement. The Processor shall regularly verify the sub-processor's compliance with these obligations.
§ 6 Controller's Audit Rights
1)
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR upon request.
2)
The Controller is entitled to verify compliance with data protection regulations and contractual agreements at the Processor's premises through audits, including inspections, either personally or through an appointed auditor. The Processor shall tolerate such measures and provide support.
3)
The Processor may also demonstrate compliance with technical and organizational measures by presenting suitable, current certifications, reports, or report excerpts from independent bodies (e.g., auditors, data protection officers) or appropriate certification (e.g., ISO 27001). Such evidence shall be provided to the Controller free of charge. For on-site inspections requested by the Controller beyond this, the Processor may charge remuneration based on its documented expenses.
§ 7 Liability
1)
The Controller and Processor shall be liable to data subjects in accordance with the provisions of Art. 82 GDPR.
2)
In the internal relationship, the Processor is only obligated to compensate for damages if it has violated an obligation specifically incumbent upon it under this Agreement or the GDPR, or has disregarded a lawful instruction of the Controller. The Controller is solely responsible for assessing the lawfulness of the processing instructed by the Controller pursuant to Art. 6(1) GDPR.
§ 8 Termination of Contract and Data Deletion
1)
Upon termination of the Reporting API App Service Agreement or at any time upon instruction of the Controller, the Processor shall, at the Controller's choice, either return all personal data processed in connection with the contract to the Controller or delete it in a data protection-compliant manner.
2)
The deletion or return shall be confirmed to the Controller in writing.
3)
Statutory retention obligations of the Processor remain unaffected by the provision in paragraph 1.
4)
The obligations under this Agreement, in particular regarding confidentiality and data security, shall continue after termination of the contract for as long as personal data remains within the Processor's sphere of control.
§ 9 Final Provisions
1)
Amendments and supplements to this Agreement require text form. This also applies to the waiver of this formal requirement.
2)
In the event of any conflicts, the data protection provisions of this Agreement shall take precedence over the provisions of the Reporting API App Service Agreement.
3)
Should individual parts of this Agreement be invalid, this shall not affect the validity of the Agreement as a whole.
4)
German law shall apply. The place of jurisdiction is Munich.
Annex 1: Description of Data Processing
(pursuant to § 1 of this Agreement)
1. Nature and Purpose of Processing:
- Provision and operation of the SaaS application "Reporting API App": This includes the provision of the software for capturing, storing, and optionally forwarding browser-side event reports (Reports) via the Internet, including the hosting and infrastructure required for operation.
- Data processing for contract performance: Receipt, storage, and processing of Reports automatically sent by end users' browsers, as well as their optional forwarding to notification targets configured by the Controller. Reports are subject to time-limited retention in accordance with the subscription plan selected by the Controller.
- Technical support and maintenance: Processing of data in the context of support requests from the Controller for troubleshooting and maintenance of the application.
- Security logging: Logging of technical data such as IP addresses and login times to ensure system security and traceability.
2. Types of Personal Data:
- Master and contact data of administrative users: Name, email address, and telephone number.
- Technical access and usage data: IP addresses, user agent information, and timestamps—both of administrative users (during login and use of the application) and of end users of the Controller's websites (during transmission of event reports).
3. Categories of Data Subjects:
- End users of the Controller's websites (indirectly, through technical data in event reports).
- Employees of the Controller who administratively manage and use the application.