Order processing contract

Status: September 2024

1. Introduction, scope, definitions

1.1. This order processing agreement (hereinafter “contract”) regulates the rights and obligations of client and recipient (hereinafter “parties”) in the context of processing personal data.

1.2. This contract applies to all activities in which the contractor's employees or subcontractors (subcontractors) commissioned by him process the client's personal data.

1.3. Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. Insofar as declarations must be made “in writing” below, the written form is meant in accordance with Section 126 BGB. In addition, declarations may also be made in other forms, provided that adequate traceability is ensured.

2. Subject matter and duration of processing

2.1. Subject

The contractor undertakes the following processing:

Provision of an Access as a Service (ACaaS) service/ACaaS application to use

Development and operation of an access management platform that receives access requests from third-party systems and issues access authorizations on this basis. At the same time, the platform provides information about existing and past access authorizations.

Provision of an Identity as a Service (IDaaS) service/IDaaS application for use

Development and operation of an identity management platform that receives authorization requests from third-party systems and issues access authorizations on this basis. At the same time, the platform provides information about existing and past access authorizations.

2.2. providing support to customers and users of the services offered

The processing is based on the service contract between the parties based on the customer account with BlueID as well as the terms and conditions and the services offered in the current version (hereinafter “main contract”).

2.3. Perpetuity

Processing begins at the start of the main contract and takes place for an indefinite period of time and ends when the main contract concluded between the parties ends.

3. Type and purpose of data processing

3.1. Nature and purpose of processing

The processing consists of providing the client with an online cloud solution for administration/implementation of access and identity management as well as remote maintenance of the systems used (see section 2.1.).

3.2. Type of data

Depending on the provision made by the client or by the authorized user, the following data is processed:

  • pseudonymized user data via mobile devices,
  • full name,
  • the user's email address,
  • access authorization (e.g. door or room name),
  • Roles or job title (e.g. customer, employee, team leader, etc.)
  • GPS location of the uplifting admin smartphone for lock position,
  • log data of accesses to the lock,
  • causes of failure,
  • number of successful and unsuccessful opening attempts on the user's smartphone, and
  • status and firmware data.

3.3. Categories of affected persons

The following are affected by the processing:

  • staffs
  • External building visitors (e.g. hotel guests, office visitors, tenants, service providers)
  • Other users of the systems (e.g. B2B customers)
4. Obligations of the contractor

4.1. The contractor processes personal data exclusively as contractually agreed or as directed by the client, unless the contractor is required by law to carry out specific processing. If such obligations exist for him, the contractor shall inform the client of these before processing, unless the notification is prohibited by law. In addition, the contractor does not use the data provided for processing for any other purposes, in particular not for its own purposes.

4.2. The contractor confirms that he is aware of the relevant general data protection regulations. It complies with the principles of proper data processing.

4.3. The contractor undertakes to strictly maintain confidentiality during processing.

Persons who can obtain knowledge of the data processed on behalf of them must commit themselves in writing to confidentiality, unless they are already subject to a relevant confidentiality obligation by law.

4.4. The contractor assures that the persons employed by him for processing have been familiarized with the relevant data protection provisions and this contract before the start of processing. Appropriate training and awareness-raising measures should be repeated regularly. The contractor ensures that persons involved in order processing are adequately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.

4.5. In connection with the commissioned processing, the contractor must assist the client in preparing and updating the list of processing activities and in carrying out the data protection impact assessment. All necessary information and documentation must be kept available and immediately forwarded to the client upon request.

4.6. If the client is subject to an inspection by supervisory authorities or other bodies or if data subjects assert rights against him, the contractor undertakes to support the client to the extent necessary, insofar as processing on behalf is affected.

4.7. The contractor may only provide information to third parties or the person concerned with the prior consent of the client. He will immediately forward inquiries addressed to him directly to the client.

4.8. The contractor assures that he has appointed an expert and reliable company data protection officer who is granted the necessary time to perform his tasks.

The contractor's data protection officer is:

Malte Pignol
+49 (89) 8099026-00
datenschutz@blueid.net

Malte Pignol is a business lawyer specializing in European business law and in particular data protection. As an experienced internal and external data protection officer for small and medium-sized companies and corporations, he has personal certifications as a data protection officer, data protection auditor, information security officer and information security lead auditor.

5. Technical and Organizational Measures (TOM)

5.1. The data security measures described in Annex 1 are set out as mandatory. The data security measures can be adapted to technical and organizational developments as long as the level agreed here does not fall below the agreed level. The contractor must implement any changes necessary to maintain information security immediately.

5.2. If the security measures taken do not or no longer meet the client's requirements, the contractor shall immediately notify the client.

5.3. The contractor guarantees that the data processed on behalf of the contract will be strictly separated from other databases.

5.4. Copies or duplicates will not be made without the knowledge of the client. Technically necessary, temporary reproductions are excluded, insofar as an impairment of the level of data protection agreed here is ruled out.

5.5. The processing of data in private homes is only permitted subject to appropriate technical and organizational measures. Insofar as such processing takes place, the contractor must ensure that a level of data protection and data security corresponding to this contract is maintained and that the client's control rights specified in this contract can also be exercised without restriction in the affected private homes. Processing data on behalf of private devices is not permitted under any circumstances.

5.6. Dedicated data carriers, which originate from or are used for the client, are specially marked and are subject to ongoing administration. They must be kept in an appropriate manner at all times and must not be accessible to unauthorised persons. Inputs and outputs are documented.

6. Rules for correcting, deleting and restricting the processing of data

6.1. The contractor will only correct, delete or restrict processing of data processed under the main contract.

6.2. The contractor will comply with the relevant instructions from the client at any time and even after the termination of this contract.

6.3. The contractor is entitled to suspend data processing or not implement supplementary instructions should there be justified doubt as to the lawfulness or admissibility of the processing based on objective evidence. This includes in particular violations of data protection regulations or provisions of the main contract. In such a case, the contractor shall immediately inform the client of this.

7. Subcontracting

7.1. The client agrees that the contractor uses subcontractors for data center operations, as specified in Appendix 2.

7.2. The contractor may also use further or other subcontractors to process the contractual data without the consent of the client if the contractual data is only processed within the Federal Republic of Germany or the EU/EEA. The client must be informed of this in writing with the name of the subcontractor.

7.3. It must also be possible to effectively exercise the rights of the client vis-à-vis the subcontractor. In particular, the client must be entitled to carry out checks on subcontractors at any time to the extent specified here or to have them carried out by third parties.

7.4. The contractor carefully selects the subcontractor, taking particular account of the suitability of the technical and organizational measures taken by the subcontractor.

7.5. The transfer of data processed on behalf of the subcontractor is only permitted when the contractor has verified in a documented manner that the subcontractor has fully fulfilled its obligations. The contractor must submit the documentation to the client without being asked.

7.6. The appointment of subcontractors who do not perform processing on behalf exclusively from the territory of the EU or the EEA is only possible if the terms of the contract are met. In particular, it is only permitted to the extent and as long as the subcontractor offers appropriate data protection guarantees. The contractor shall inform the client which specific data protection guarantees the subcontractor offers and how proof of this can be obtained.

7.7. Subcontracting relationships within the meaning of this contract are only services that are directly related to the provision of the main service. Ancillary services, such as transportation, maintenance and cleaning as well as the use of telecommunications services or user services, are not included. The contractor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.

8. Rights and obligations of the client

8.1. The client alone is responsible for assessing the admissibility of the commissioned processing and for upholding the rights of data subjects.

8.2. The client shall immediately inform the contractor if he finds errors or irregularities in the review of the contract results.

8.3. The client is entitled to check compliance with data protection regulations and contractual agreements with the contractor to an appropriate extent himself or through third parties, in particular by obtaining information and viewing the stored data and data processing programs as well as other on-site checks. As far as necessary, the contractor must allow access and insight to persons entrusted with the inspection. The contractor is obliged to provide the necessary information, to demonstrate processes and to provide evidence that is necessary to carry out an inspection.

8.4. The client will not carry out any checks himself, insofar as the contractor is able to provide the required proof by presenting a standard commercial certificate (such as in accordance with IS, DIN or SOC standards) or otherwise. In addition, checks on the contractor must be carried out without avoidable disruptions to its business operations. Unless otherwise indicated for urgent reasons to be documented by the client, checks are carried out after reasonable advance notice and during the contractor's business hours.

9. Notification requirements

9.1. The contractor immediately notifies the client of breaches of personal data protection. Substantiated cases of suspicion of this must also be reported. The notification must be made without culpable delay as soon as the contractor becomes aware of the relevant event to an address specified by the client, but must in any case comply with the legal deadlines. It must contain at least the following information:

  • a description of the nature of the personal data breach, including, as far as possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned;
  • the name and contact details of the data protection officer or other point of contact for further information;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed by the contractor to remedy the personal data breach and, where appropriate, measures to mitigate its potential adverse effects

9.2. Significant disruptions in the execution of the order and breaches of data protection regulations or the stipulations made in this contract by the contractor or persons employed by him must also be reported immediately.

9.3. The contractor shall immediately inform the client of checks or measures taken by supervisory authorities or other third parties, insofar as these relate to order processing.

9.4. The contractor undertakes to support the client to the extent necessary with its obligations under Articles 33 and 34 of the General Data Protection Regulation

10. Completion of the contract

10.1. Upon termination of the contract or at any time at the request of the client, the contractor must either destroy or hand over the data processed in the order to the client at the client's discretion. All existing copies of the data must also be destroyed. The destruction must be carried out in such a way that it is no longer possible to restore even residual information with reasonable effort.

10.2. The contractor is obliged to immediately return or delete subcontractors as well.

10.3. Documentation that serves as proof of proper data processing must be kept by the contractor even after the end of the contract in accordance with the respective retention periods. To relieve him, he can hand them over to the client at the end of the contract. The deletion will take place immediately at the client's request, which may require a period of up to four weeks, unless earlier deletion is required under the respective circumstances. If, in exceptional cases, deletion is to take place earlier, the client will inform the contractor of this in sufficient advance.

11. Remuneration

11.1. The contractor's remuneration is finally regulated in the main contract. There is no separate remuneration or reimbursement of costs under this contract.

12. Miscellaneous

12.1. Both parties are obliged to keep confidential all knowledge of trade secrets and data security measures acquired by the other party as part of the contractual relationship, even after the contract has ended. If there is any doubt as to whether information is subject to confidentiality, it must be treated as confidential until documented approval (written or text form) by the other party.

12.2. If access to the data that the client has provided to the contractor for data processing is jeopardized by measures taken by third parties (e.g. measures taken by an insolvency administrator or seizure by tax authorities), the contractor must immediately notify the client of this.

12.3. In the event of any conflict between the terms of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement shall prevail.

12.4. Additional agreements must be made at least in text form.

12.5. The objection of right of retention within the meaning of Section 273 BGB will be ineffective with regard to the data processed in the order and the associated data carriers excluded individual parts of this contract, this shall not affect the effectiveness of the remaining contractual clauses.

12.6. This contract is subject to the laws of the Federal Republic of Germany. The place of jurisdiction is the registered office of the contractor

Technical and organizational measures

The technical and organizational measures to ensure data protection and data security, which the contractor must at least implement and maintain on an ongoing basis, are defined below. The aim is, in particular, to ensure the confidentiality, integrity and availability of information processed on behalf of the order.

1. General measures
  • An obligation of confidentiality for employees is part of all employment contracts with BlueID and, among other things, prohibits the transfer of personal or business data of third parties, in particular from the employer's customers, to unauthorized third parties. Infringement is punishable by a contractual penalty.
  • Regular data protection training for employees
  • Specially qualified data protection officer: see AVV 4.8
  • Orientation to ISO 27001 standards
  • Order processing contracts with sub-processors
2. Confidentiality

2.1. Access, storage and data carrier control

Measures that are suitable to deny unauthorised persons access to data processing systems with which personal data are processed.

Since BlueID does not maintain its own servers, we refer to the comprehensive measures taken by the operator Amazon Web Services (“AWS”) at the perimeter, infrastructure, data and environmental levels for the data centers we use. A detailed description of the protective measures taken by AWS for the operated server locations can be found on the company's website: https://aws.amazon.com/de/compliance/data-center/data-centers/

2.2. Access and user control

measures that are appropriate to prevent data processing systems from being used by unauthorised persons.

  • Authentication with username/password
  • Technical enforcement of password complexity
  • Encrypted password storage
  • Automatic lock mechanisms
  • Automatic update installation via admin policy on clients
  • Use of firewalls, virus scanners, spam filter anti-spy programs, secure remote connections
  • Encrypting data carriers in mobile systems
  • Prohibition of USB data carriers (except for technical/administrative activities, e.g. client installation)
  • Standardised process for applying for, approving, setting up and deleting user accounts
  • Review in case of changed tasks, transfers, resignations; etc.
  • One user master record per user
  • Using strong passwords
  • Forced password change when logging on for the first time
  • Prohibition of password sharing
  • Reset locked user accounts only after secure authentication
  • Administration accesses are limited to the required number
  • Task/division-related administration accesses
  • Clean Desk Policy, Password Assignment, and Manual Computer Locking Guidelines

2.3. Access control

Measures that ensure that people can only access data within the scope of their access rights and that personal data cannot be read, copied, modified or removed without authorization during processing.

  • Documented authorization concept available
  • Assigning user rights/creating user profiles
  • Management of rights by system administrator
  • Number of administrators reduced to “bare essentials”
  • Logging changes to data
  • Encrypting data carriers
  • Secure storage of data carriers
  • Proper destruction of data carriers

2.4. Deletion concept for data transport and transition control Measures which ensure that personal data cannot be read, copied, changed or removed without authorization during electronic transmission, and that it is possible to check to which points a transfer of personal data by data transmission facilities is intended.

2.5. Firewall: The firewall technologies required according to the state of the art have been implemented and are kept up to date

2.6. Create an overview of data carriers with analog output and input

3. Integrity

3.1. Input control/processing control

Measures that ensure that it is possible to check retrospectively whether and by whom personal data has been entered, changed or removed from data processing systems.

  • Traceability of entry, change and deletion of data through individual user names (not user groups)
  • Retention and deletion period for logs exists

3.2. documentation control

measures to ensure that personal data processing practices are documented in such a way that they can be reasonably understood.

Documentation of the IT systems used and their system configuration

3.3. Transfer control

Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it is possible to verify and determine to which places personal data will be transferred by data transfer facilities.

  • Transport encryption when sending emails
  • Using VPN
  • Websites are https encrypted
4. Availability control

4.1. Measures to ensure that personal data is protected against accidental destruction or loss and can be restored in the event of an accident.

Within the data centers used by AWS, a variety of measures are implemented to protect against disruptions and disasters. These include:

  • Uninterruptible power supply (UPS)
  • surge protector
  • Protection against environmental influences (storms, water)
  • Devices for monitoring temperature and humidity in server rooms
  • Fire and smoke alarm systems
  • Alarm message in case of unauthorized access to server rooms
  • Data recovery testing
  • Air conditioning in server rooms
  • regular backups
  • Storing data backups in a secure, remote location
  • anti-virus system
  • Hard disk mirroring (such as RAID methods)
  • Disaster concept available
5. Separation requirement

Measures to ensure that data collected for different purposes can be processed separately:

  • Physically separated storage on separate systems or data carriers
  • Assigning purpose attributes/data fields to data records
  • Logical client separation (on the software side)
  • Separation of production and test systems
  • Definition of database rights technology
  • Management via a documented authorization concept
  • Separation of data from different clients
6. Review, Evaluation and Evaluation

6.1 Measures to ensure that it is checked regularly or as appropriate whether the data protection requirements are met.

  • Carrying out audits
  • Preparation of data protection impact assessments
  • If applicable Involving additional auditors
  • Current data protection organization including training for employees
7. Subcontractors used

7.1. AWS/AWS3/AWS SES

We use the service provided by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter “AWS”) for our app server (on which the backends run) and AWS S3 to host the uploaded files in our apps and AWS SES to send invitation emails within our apps for our users.

The locations of the server/data centers used are within the “Frankfurt region” operated by AWS (see also https://aws.amazon.com/de/region-frankfurt/).

AWS meets high international security standards and is certified according to the following standards: ISO/IEC 27001:2013, 27017:2015, 27018:2014 and 9001:2015. Details of the above standards and certifications are available at https://aws.amazon.com/de/compliance/iso-certified/

AWS “Computing Appendix” can be viewed here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

For more information about salesforce.com's privacy policy, please visit: https://www.salesforce.com/de/company/privacy/

7.2. Weclapp

We use weclapp.com from weclapp GmbH based in Friedrich-Ebert-Straße 28
97318 Kitzingen (hereinafter “weclapp”) as a service provider for sales management, our marketing processes and service processing. For the use of weclapp, we have concluded an order processing contract to protect your personal data.

Further information on data protection at weclapp.com can be found at: https://www.weclapp.com/de/datenschutz/

7.3. Notion

For project management and software development, we use Notion Labs, Inc., 548 Market Street Suite 74567 San Francisco, CA 94104, USA (hereinafter “Notion”).

We have concluded an order processing agreement with Notion, in which we oblige Notion to protect our customers' data, not to pass it on to third parties and to comply with the regulations of the EU-US Data Privacy Framework when transferring personal data to third countries.

Further information and Notion's applicable privacy policy can be found at https://www.notion.so/Terms-and-Privacy-28ffdd083dc3473e9c2da6ec011b58ac.

Privacy and privacy settings

By clicking “Accept,” you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, please see our Privacy statement.

PreferencesRejectAccept all
Privacy statementimprint