Compliance and security are foundational for us - ensuring your integrations meet the highest standards.
(1) This Data Processing Agreement (“DPA”) formspart of and is incorporated by reference into the Terms of Service available at maesn.com/terms-of-service (“Terms of service”).
(2) The Processor will process personal data onbehalf of the Controller in the meaning of Article 4 (8) and Article 28 ofRegulation (EU) 2016/679. This Data Processing Agreement governs the rights andobligations of the parties in connection with the processing of personal data.
(3) Insofar as the term "dataprocessing" or "processing" (of data) is used in this Agreement, it is taken as that defined in Article 4 (2) GDPR.
The subject matter, nature and purpose of theprocessing, the nature of personal data and the categories of data subjects areset out in Annex 1 to this Agreement.
(1) The Controller is the responsible body withinthe meaning of Article 4 (7) GDPR for the processing of data onbehalf of the Controller. Pursuant to section 4 (5) of this Agreement, theProcessor has the right to inform the Controller if the Processor is of theopinion that the data processing is in breach of applicable statutory dataprotection law in this Agreement and/or an instruction.
(2) The Controller shall be the personrsponsible for safeguarding the data subject's rights. The Processor shallpromptly inform the Controller if data subjects claim their data subject'srigts against the Processor.
(3) The Controller shall be entitled to issuesupplementary instructions concerning the nature, scope and procedure of dataprocessing to the Processor at any time. Instructions must be given in textform (e.g. email).
(4) Regulations concerning a possibleremuneration of additional expenses incurred through supplementary instructionsby the Controller for the Processor remain unaffected.
(5) The Controller shall promptly inform theProcessor if he finds errors or irregularities in connection with theprocessing of personal data by the Processor.
(6) In the event of theobligation to provide information to Third Parties pursuant to Articles 33, 34GDPR or any other statutory reporting obligation applicable to the Controller,the Controller shall be responsible for the fulfillment ofthose obligations.
(1) The Processor shall process personal data only within the framework of this Agreement and/or in compliance with possible additional instructions given by the Controller. Excluded from this are legal provisions, which potentially oblige the Processor to a different processing of data. In such a case, the Processor shall inform the Controller of these legal requirements before the processing, unless the law in question prohibits such notification on account of an important public interest. Purpose, nature and scope of data processing shall be governed exclusively by this Agreement and/or the instructions of the Controller. Data processing deviating from this Agreement shall be forbidden, unless the Controller has given its written consent.
(2) The Processor shall generally carryout the data processing on behalf in member states of the European Union (EU) or the European Economic Area (EEA). The Processor is also permitted to processdata outside the EU or EEA if appropriate subprocessors are used in the thirdcountry in compliance with the requirements of Section 9 and the requirementsof Art. 44-48 GDPR are met or an exception within the meaning of Art. 49 GDPRexists.
(3) The Processor shall inform the Controller ifthe Processor is of the opinion that a Controller's instruction is in breach ofstatutory data protection laws. The Processor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the Controller. In so far as the Processor can demonstrate that processing according to the instructions of the Controller can lead to liability of the Processor according to Article 82 GDPR, the Processor is free to suspend further processing in this respect until theliability between the parties has been clarified.
The Processor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR. The Processor shall ensure that the data protection officer has the necessary qualifications and expertise.
(1) The Processor shall inform the Controller immediately of each breach of statutory data protection laws or contractual agreements and/or the Controller's instructions which has occurred during the processing of the data by him or other persons involved in processing the data. The same shall apply to any violation of the protection of personal data which the Processor processes on behalf of the Controller.
(2) Furthermore, the Processor shall inform the Controller immediately if a data protection authority pursuant to Art. 58GDPR is operating against the Processor and this operation may also affect controlling of the processing which the Processor makes on behalf of the Controller.
(3) The Processor is aware that the Controller may be subject to a notification obligation pursuant to Articles 33 - 34 GDPR, which provides that notification must be made to the supervisory authority within 72 hours after detection. The Processor shall assist the Controller inimplementing the notification obligations. The Processor shall notify the Controller, in particular, of any unauthorized access to personal data processed on behalf of the Controller, without delay, but at the latest within 48 hours of knowledge of such access. In particular, the notification of the Processor to the Controller shall include the following information:
– a description of the nature of the breach of the protection of personal data, indicating, as far as possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data sets concerned;
– a description of the measures taken or proposed by the Processor to remedy the breach of the protection of personal data and, where appropriate, to mitigate its potential adverse effects.
(1) The Processor shall assist the Controller in fulfilling his duty to respond to requests for the exercise of rights of the data subjects in accordance with Art. 12-23 GDPR. The provisions of section 12 of this Agreement shall apply.
(2) The Processor assists the Controller incompiling the lists of processing activities. The Processor must provide the Controller with the required particulars by suitable means.
(3) Taking into account the type of processingand the information available to him, the Processor shall assist the Controllerin complying with the obligations set out in Articles 32-36 GDPR.
(1) The Processor may allow its employees who are commissioned to process personal data for the Controller to process personal data at mobile workstations outside the Processor’s business premises.
(2) The Processor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when using mobile workstations of the Processor’s employees. Deviations from individual contractually agreed technical and organizational measures must be agreed withthe Controller in advance and approved by the Controller in text form.
(3) In particular, the Processor shall ensure that when processing personal data at mobile workstations, the storage locations are configured in such a way that local storage of data on IT systems is excluded. If this is not possible, the Processor shall ensure that local storage is exclusively encrypted and that other persons at the location of the respective mobile workstation do not have access to this data.
(4) The Processor is obliged to ensure that effective control of the processing of personal data on behalf of the Controller at mobile workstations is possible.
(5) If employees are also to be deployed at mobile workstations by subprocessors, the provisions of paragraphs 1 to 4 shall apply accordingly.
(1) The Controller has the right to monitor compliance with statutory laws regarding data protection and/or compliance ofthe regulations agreed between the Parties and/or compliance with the instructions of the Controller by the Processor at any time to the extent necessary.
(2) The Processor shall be obliged to provide the Controller with information to the extent necessary to carry out an inspection in the meaning of paragraph 1.
(3) The Controller may carry out the inspection within the meaning of paragraph 1 at the Processor’s business premises during normal business hours after prior notification with reasonable notice. The Controller shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the Processor’s business operations as a result ofthe inspections. The parties assume that an inspection is required no more than once a year. Further inspections must be justified by the Controller, stating the reason. In the event of on-site inspections, the Controller shall reimburse the Processor for the expenses incurred, including the personnel costs for the supervision and support of the inspectors on site to an appropriate extent. The basis of the cost calculation shall be communicated to the Controller by the Processor before the inspection is carried out.
(4) At the Processor’s discretion, proof of compliance with the technical and organizational measures may also be provided instead of an on-site inspection by submitting a suitable, current certificate, reports or report extracts fromindependent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification, if the audit report enables the Controller to reasonably satisfy itself of compliance with the technical and organizational measures in accordance with Annex 3 to this Agreement. If the Controller has reasonable doubts about the suitability of the test document within the meaning of sentence 1, an on-site inspection may be carried out by the Controller. The Controller is aware that an on-site inspection in data centers is not possible or only possible in justified exceptional cases.
(5) The Processor shall be obliged to provide necessary information to the Controller in case of measures of a supervisory body against the Controller according to Art. 58 GDPR, especially regarding obligations of information and monitoring and to grant the competent supervisory body on-site inspections. The Processor shall inform the Controller about such relevant intended measures.
(6) The Parties agree that the control measures for the processing of personal data at mobile workplaces to protect the personal rights of other persons at these mobile workplaces shall primarily be carried out by monitoring the measures to be taken by the Processor inaccordance with Section 8 (2) and (3). The Controller must also be given the opportunity to monitor the mobile workplaces of employees by the Processor on an ad hoc basis.
(1) The Processor shall be entitled to use the subprocessors specified at to this Agreement for the processing of data on behalf of the Controller. The change of subprocessors or the commissioning of further subprocessors is permitted under the conditions specified in paragraph 2.
(2) The Processor shall carefully select the coprocessors and check before commissioning that the subprocessor can comply with the agreements made between the Controller and the Processor. In particular, the Processor shall check in advance and regularly during the term of the contract that the subprocessor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data. In the event of a planned change of subprocessorsor the planned commissioning of a new subprocessor, the Processor shall inform the Controller in text form in good time, but no later than 2 weeks before the change or new commissioning ("Information"). The Controller shall have the right to object to the change or new assignment of the subprocessor in text form within 2 weeks of receipt of the "Information", stating thereasons. The objection may be withdrawn by the Controller in text form at anytime. In the event of an objection, the Processor may terminate the contractual relationship with the Controller with a notice period of at least 14 days to the end of a calendar month. The Processor shall give reasonable consideration to the interests of the Controller in the notice period. If no objection is made by the Controller within two weeks of receipt of the "Information", this shall be deemed to constitute the Controller’s consent to the change or reassignment of the subprocessor concerned.
(4) The Processor shall ensure that the provisions agreed in this contract and any supplementary instructions of the Controller also apply to the subprocessor.
(5) The Processor shall conclude a data processing agreement with the subprocessor that meets the requirements of Art.28 GDPR. In addition, the Processor shall impose the same obligations on the subprocessor to protect personal data as are stipulated between the Controller and the Processor. The Controller shall be provided with a copy of the data processing agreementupon request.
(6) In particular, the Processor shall be obliged to ensure by means of contractual provisions that the supervisory powers (Section 9 of this contract) of the Controller and supervisory authorities also apply to the subprocessor and that corresponding supervisory rights of the Controller and supervisory authorities are agreed. It must also be contractually stipulated that the subprocessor must tolerate these control measures and any on-site inspections.
(7) Services which the Processor uses from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subprocessing relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunication services with no specific connection to services that the Processor provides for the Controller, postal and courier services, transportation services, security services. The Processor is nevertheless obliged to ensure that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data, even in the case of ancillary services provided by third parties. The maintenance and servicing of IT systems or applications constitutes a subprocessing relationship requiring consent and processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns IT systems that are also used in connection with the provision of services for the Controller and personal data processed on behalf of the Controller can be accessed during maintenance.
(1) When processing data on behalf of the Controller, the Processor shall be obliged to maintain confidentiality of data which he receives or obtains in connection with the data processing agreement.
(2) The Processor also warrants that the employees working on the data have been made known to applicable regulations of data protection and that they are bound to maintain data confidentiality.
(3) Proof for such an obligation for the employees pursuant to paragraph 2 must be presented to the Controller onrequest.
(1) The Controller is solely responsible for safeguarding data subjects' rights. The Processor is obliged to support the Controller in his duty to process requests from data subjects in accordance with Articles 12-23 GDPR. The Processor shall in particular ensure that the information required in this respect is provided to the Controller without delay so that the Controller is able to fulfil his obligations under section 12(3) GDPR in particular.
(2) As far as a participation of the Processor for the protection of data subjects' rights by the Controller is necessary – especially regarding access, rectification, blocking or deleting –, the Processor will undertake the necessary measures on instruction by the Controller. Where possible, the Processor shall assist the Controller with appropriate technical and organizational measures to fulfil his obligation to respond to requests for the exercise of the data subjects' rights
(3) Provisions concerning remuneration of additional expenses incurred through participation of the Processor in connection with assertion of data subjects' rights against the Controller remain unaffected.
(1) Both Parties hereby undertake to treat all information received in connection with the processing of this Agreement indefinitely confidential and to use the information only for carrying out the Agreement. No Party has the right to use the information in part or as a whole for other than those mentioned purposes or to make this information available to Third Parties.
(2) The foregoing obligation shall not apply for information that one Party received demonstrably from Third Parties, without being bound by secrecy or which are publicly known.
The Processor's remuneration is provided for by way of a separate agreement.
(1) The Processor shall pledge against the Controller to comply with all technical and organizational measures that are required for compliance with applicable data protection regulations. This includes, in particular the dispositions in Art. 32 GDPR.
(2) The technical and organizational measures as of the time at which this Agreement is made are attached as Annex 3 to this contract. The Parties agree that changes to technical and organizational measures may be required to adapt to technical and legal requirements. The Processor will inform the Controller in advance and within a reasonable period of any material changes affecting the integrity, confidentiality oravailability of personal data. The Processor may implement without consulting with the Controller measures that entail only slight technical or organizational changes and that do not negatively affect the integrity, confidentiality oravailability of the personal data. The Controller may at any time request an up-to-date version of the technical and organizational measures taken by the Processor.
(1) The Agreement begins with the ordering of the Processor’s services and runs for the duration of the main contract existing between the Contracting Parties.
(2) The Controller may terminate the Agreement at any time without notice if the Processor has committed a serious violation of the applicable data protection provisions or abreach of duties under this Agreement; the Processor is unable or unwilling to carry out an instruction of the Controller or denies access to the Controller or the competent supervisory authority in breach of the Agreement.
(1) After the Agreement has ended, the Processor shall, at the Controller’sdiscretion, return to the Controller all documents and data in its possession that relate to the contractual relationship, or shall delete them. The deletionshall be documented in a suitable manner.
(2) The Processor may store personal data that has been processed in connection with the processing relationship beyond the termination of the Agreement if and to the extent that the Processor has a legal obligation to store it. In these cases, the data may only be processed for the purpose of implementing the respective legal storage obligations. After the storage obligation has expired, the data must be deleted immediately.
(1) Should the property of the Controller be at risk at the Processor through measures of Third Parties (especially confiscation or seizure of property), by insolvency proceedings or other events, the Processor must inform the Controller immediately. The Processor will inform creditors immediately about the fact that the data are processed on behalf of the Controller.
(2) Written form is compulsory for ancillary agreements.
(3) Should individual parts of this Agreement be invalid, the validity of the Agreement’s other provisions will not be affected thereby.
The subject matter and purpose of the processing is the provision and operation of the Processor's unified API platform, which serves as technical middleware between the Controller's software application and the ERP and accounting systems of the Controller's customers. The processing comprises the receipt, normalisation and routing of API requests, authentication and token management, webhook and synchronisation services, as well as real-time passthrough of API calls. The purpose is to enable automated, standardised data integration between the afore mentioned systems, in particular the synchronisation of financial and transactional data.
Thefollowing types of data are subject to this contract:
- Account data (username, email address)
- Technical data (logs, API calls, time stamps)
- Financial and transactional data routed through the API in real time without storage (e.g. contact data, invoice data, payment information as contained in the connected ERP and accounting systems)
- Support and service data (support tickets, correspondence, details for problem resolution)
Special categories of personal data within the meaning of Art. 9 GDPR are not intended to be processed. To the extent such data is transmitted by the controller or its end customers via the API, the controller is solely responsible for ensuring a valid legal basis.
Data subjects whose personal data is contained in the financial and transactional data transmitted via the API, such as customers, suppliers, contact persons and employees of the Controller's end customers, as well as the controller's own authorised users of the platform.
