Data Processing Agreement

Effective date: September 29th, 2023

Annex I DATA PROCESSING AGREEMENT to the Terms Of Service

(“DPA”) pursuant Art 28 GDPR

1. Entry provisions 

1.1. Contracting parties 

This contract is concluded between the 

CUSTOMER

hereinafter referred to as the „CONTROLLER“ on the one hand 

and

PROVIDER

hereinafter referred to as the „PROCESSOR“ on the other hand.

1.2. Definitions

PROCESSOR means a processor within the meaning of Article 4 (8) of the General Data Protection Regulation. A processor in this sense is anyone who processes DATA on behalf of the CONTROLLER.

DATA means personal data within the meaning of Article 4 (1) of the General Data Protection Regulation.

GDPR means the General Data Protection Regulation as amended from time to time.

MAIN CONTRACT means the contract between the parties which forms the basis of the present GTC. Specifically, this are the Terms of Service mentioned above.

CONTROLLER means a responsible party within the meaning of Article 4 (7) of the General Data Protection Regulation. A controller in this sense is the person who decides on the purposes and means of the processing of DATA.

The CONTRACTUAL PARTIES include the CONTROLLER and the PROCESSOR.

1.3. Preamble

According to Article 4 (8) of the GDPR, a natural or legal person, authority, institution or other body that processes personal data on behalf of the CONTROLLER is to be qualified as a PROCESSOR. In this case, the CONTRACTING PARTIES are obliged to conclude a PROCESSOR'S AGREEMENT within the meaning of Art. 28 of the GDPR. By signing the present DPA, the CONTRACTING PARTIES comply with this obligation. The PROCESSOR shall provide sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR and the protection of the rights of the data subjects is ensured (Art 28 (1) GDPR).

2. Main part

2.1. Subject, Duration, Kind and Purpose of data processing (Art 28 (3) GDPR)

This contract is concluded for an indefinite period. It shall terminate as soon as the MAIN CONTRACT ends. The subject matter and nature of this DPA is set out in the MAIN CONTRACT and can be summarised as follows: Provision of software-as-a-service services (provision of the software, hosting, maintenance services, IT support).

2.2. Type of personal data and categories of data subjects (Art 28 (3) GDPR)

In the course of the present contract, the following types of DATA of (i) employees of the CONTROLLER; (ii) of the CONTROLLER himself; (iii) of the customers of the CONTROLLER; (iv) of the business partners of the CONTROLLER, are processed: 

  • Name

  • Employers,

  • Profession,

  • Language, 

  • Adresses,

  • All data required in the course of maintenance,

  • E-mail address,

  • Log-In-Data (E-Mail)

  • Screening (clients)/Incident tickets in case of maintenance

  • All documents and DATA required in a business relationship (invoices, offerings, time registration)

2.3. Processing only on documented instruction (Art 28 (3) lit a GDPR)

The PROCESSOR shall only process DATA on the documented instructions of the CONTROLLER - including in relation to the transfer of DATA to a third country or an international organisation - unless it is required to do so by Union or Member State law to which the PROCESSOR is subject; in such a case, the PROCESSOR shall notify the CONTROLLER of such legal requirements prior to the processing, unless the law in question prohibits such notification on the grounds of an important public interest.

2.4. Obligation of confidentiality (Art 28 para 3 lit b GDPR)

The PROCESSOR warrants that the persons authorised to process the DATA have committed themselves to confidentiality or are subject to appropriate legal secrecy.

2.5. Obligation to implement the necessary measures (Art. 28 para 3 lit c GDPR)

The PROCESSOR warrants to take all measures required pursuant to Article 32 of the GDPR. The PROCESSOR shall provide a detailed list of the technical and organisational measures upon request.

2.6. Support obligations (Art 28 para 3 lit e GDPR)

The PROCESSOR shall, where possible, in view of the nature of the processing, support the CONTROLLER with appropriate technical and organisational measures to comply with its obligation to respond to requests to exercise the data subject's rights referred to in Chapter III of the GDPR.

2.7. Information requirements (Art 28 Para 3 lit f GDPR)

The PROCESSOR shall assist the CONTROLLER in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the technical information at its disposal.

2.8. Return or deletion of data (Art 28 para 3 lit g GDPR)

The PROCESSOR shall, upon completion of the provision of the processing service, either delete or return all DATA at the choice of the CONTROLLER, unless there is an obligation under Union or Member State law to retain the DATA.

2.9. Possibility of review (Art 28 para 3 lit h GDPR)

The PROCESSOR shall provide the CONTROLLER with all information necessary to demonstrate compliance with the obligations laid down in Art 28 GDPR and shall enable and contribute to verifications - including inspections - carried out by the CONTROLLER or any other auditor appointed by the CONTROLLER.

2.10. Duty to inform in the event of a data protection breach (Art 28 para 3 lit h GDPR)

The PROCESSOR shall inform the CONTROLLER without undue delay if it considers that an instruction infringes the GDPR or any other Union or Member State data protection legislation.

2.11. Use of sub-processors (Art 28 (4) GDPR)

Where the PROCESSOR uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations shall be imposed on that other processor by way of a contract or other legal instrument under Union or Member State law, set out in the contract or other legal instrument between the CONTROLLER and the PROCESSOR pursuant to this DPA, in particular providing sufficient guarantees that the appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of the GDPR. If the Processor fails to comply with its data protection obligations, the first PROCESSOR shall be liable to the CONTROLLER for compliance with the obligations of that other processor.

The following sub-processors are currently employed:

See Annex Ia

The CONTROLLER shall give general permission for the PROCESSOR to use other sub-processors. However, the PROCESSOR shall always inform the CONTROLLER of any intended change in the use or replacement of other sub-processors. The CONTROLLER has the right to object to such changes (Art 28(2) GDPR). The PROCESSOR undertakes to comply with the conditions set out in Art 28(2) and (4) of the GDPR for the use of the services of another processor (Art 28(3) (d) of the GDPR).

3. Final provisions

3.1. Partial Ineffectiveness/Salvatory Clause

Invalid provisions of individual parts of this DPA shall not affect the validity of the remaining provisions. They shall be replaced by appropriate substitute provisions which, in the light of the purpose of the contract, come as close as possible to what the CONTRACTING PARTIES would have wanted had they known of the invalidity. The same applies in the case of loopholes contrary to the contract. In case of doubt, the rules of Art 28 GDPR apply.

3.2. Applicable law

This DPA (and all related parts of the contract) shall be governed by Austrian law. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is excluded.

3.3. Revenue

For the settlement of disputes concerning the validity of the DPA (and all related parts of the contract), arising from the contract and after termination of the contract, the court with subject-matter jurisdiction for the registered office of the PROCESSOR is agreed.

3.3. Costs

The costs incurred in the course of the performance of the obligations under this contract shall be borne by each party. However, if the PROCESSOR is confronted with unusually high costs in this connection, it reserves the right to assert corresponding claims for compensation.

4. Contract hierarchy

This DPA forms an integral part of the MAIN CONTRACT. In the event of a conflict, the provisions of the DPA shall supersede those of the MAIN CONTRACT, provided that the provision concerned primarily deals with a regulation within the meaning of the GDPR.

5. Annexes

The attached Annex forms an integral part of this Agreement and shall be deemed to have been validly agreed.

Annex Ia: Sub-Processors


Annex Ia (engaged Sub-Processors)

  • Neon, Inc

    • Purpose of data processing: Postgres Database

    • Seat: US (data stored in Germany, Frankfurt)

    • Ensuring an adequate level of data protection: Standard contractual clauses pursuant Art 46 (2) lit c GDPR

  • Hasura Inc

    • Purpose of data processing: Data Backend/Data API Platform

    • Seat: US (data stored in Ireland)

    • Ensuring an adequate level of data protection: EU US Data Privacy Framework (Link)

  • Amazon, Inc

    • Purpose of data processing: File Storage; transactional emails

    • Seat: US (data stored also in Ireland)

    • Ensuring an adequate level of data protection: EU US Data Privacy Framework (Link)

  • Okta, Inc (Auth Service)

    • Purpose of data processing: Customer and authentication Service

    • Seat: US

    • Ensuring an adequate level of data protection: Standard contractual clauses pursuant Art 46 (2) lit c GDPR

  • Lemon Squeezy, LLC

    • Purpose of data processing: Software as a Service Platform (Merchant of record)

    • Seat: US

    • Ensuring an adequate level of data protection: Standard contractual clauses pursuant Art 46 (2) lit c GDPR

  • Functional Software, Inc (Sentry)

    • Purpose of data processing: Error tracing

    • Seat: US

    • Ensuring an adequate level of data protection: EU US Data Privacy Framework (Link)

  • Better Stack, Inc

    • Purpose of data processing: Uptime Monitoring Tool

    • Seat: US

    • Ensuring an adequate level of data protection: Standard contractual clauses pursuant Art 46 (2) lit c GDPR

  • Not Just Tickets Ltd

    • Purpose of data processing: Support System

    • Seat: UK

    • Ensuring an adequate level of data protection: Standard contractual clauses pursuant Art 46 (2) lit c GDPR

  • Mixpanel

    • Purpose of data processing: event analytics service company that tracks user interactions with web and mobile applications.

    • Seat: US

    • Ensuring an adequate level of data protection: EU US Data Privacy Framework (Link)

®

2024

Fugoya GmbH

Fugoya and the F Logomark are registered trademarks in the European Union.

®

2024

Fugoya GmbH

Fugoya and the F Logomark are registered trademarks in the European Union.