Agreement
Data Processing
Lucerne, September 1, 2023 V04
1 The subject of the DPA is the commissioning of yawave by the customer (Client) within the scope of the functions of the yawave Software Suite used by the customer. The processing is based in particular on the General Terms and Conditions existing between the parties (yawave GTC No. 9). yawave processes personal data for the customer with the meaning of Art. 3 of the the Swiss Federal Act on Data Protection (FADP) and Art. 4 No. 2 and Art. 28 of the EU General Data Protection Regulation (GDPR) on the basis of this DPA.
2 This Agreement is an integral part of the Contract and it shall enter into force upon the conclusion of the Contract. In the event of a conflict between the provisions of the Contract and the DPA or contradictory statements in the Contract and the DPA, the provisions of the DPA shall prevail over the provisions of the Contract with respect to the respective conflict or contradiction.
3 yawave updates these terms and conditions regularly. If the customer has an active yawave subscription, yawave will notify the customer of any updates by email or in the application.
4 The term of this DPA is determined by the term of the Contract. All terms have the meaning specified in the Contract, unless another meaning is specified in this DPA.
5 Terms used in this contract are to be understood according to their definition in the EU General Data Protection Regulation (GDPR). In this sense, the customer is the “responsible party”, yawave is the “processor”.
2. NATURE, PURPOSE AND DATA SUBJECTS OF DATA PRO-CESSING
6 Personal data is processed by the customer via the yawave software suite in the following manner: Collecting, recording, organizing, arranging, storing, adapting or modifying, reading, querying, using, disclosing by transmission, dissemination or any other form of making available, matching or linking, restricting, deleting or destroying data.
7 The underlying purpose of the processing is described in the yawave GTC.
8 The following categories of personal data are processed in the process:
– Personal master data such as title, first name, last name, address data, e-mail addresses
– Behavioral data such as visits to specific publications, form submissions, news preferences
– Billing and payment data such as bank details, payment and account data
– Server log data such as browser type and version, operating system used, referrer URL, host name of the accessing computer, time of server request, IP address.
– All other categories, which, for example, come into the knowledge of yawave through simple indexing or through causal relationships.
9 The categories of persons concerned by the processing are the following:
– Interested parties, users and customers of the customer
– Employees and contact persons of the customer
– Suppliers and service providers of the customer
3. DUTIES OF YAWAVE
10 yawave processes personal data exclusively as contractually agreed or as instructed by the customer, unless yawave is legally obligated to a certain processing. If such obligations exist, yawave shall notify the custom-er thereof prior to processing, unless such notification is prohibited by law. yawave shall furthermore not use the data provided for processing for any other purposes, in particular for its own purposes.
11 yawave undertakes to inform the client immediately if yawave is of the opinion that an instruction of the client constitutes a violation of data protection laws, including the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), or other relevant data protection regulations, or is otherwise unlawful. The client is entitled to suspend or modify the execution of the instruction in question until its legality has been clarified. yawave undertakes not to take any further steps in connection with the instruction in question during this period, unless the client expressly issues a new, lawful instruction.
12 yawave confirms that the relevant, general data protection regulations are known and observes the principles of proper data processing.
13 yawave undertakes to strictly maintain confidentiality during processing. Persons who may gain knowledge of the data processed on behalf of yawave are obligated in writing to maintain confidentiality.
14 yawave assures that the persons employed by yawave for processing are familiarized with the relevant provisions of data protection before processing begins. Corresponding training and sensitization measures are repeated appropriately on a regular basis. Yawave ensures that persons employed for commissioned processing are appropriately instructed and monitored with regard to compliance with data protection requirements on an ongoing basis.
15 In connection with the commissioned processing, yawave shall support the customer to the extent necessary in fulfilling its obligations under data protection law, in particular in creating and updating the directory of processing activities, in carrying out the data protection impact assessment and any necessary consultation with the supervisory authority. The required information and documentation will be provided to the customer upon request.
16 yawave shall notify the customer immediately of any violations of the protection of personal data processed on behalf of the customer. Reasonable suspicions thereof shall also be notified. The notification must contain at least the following information:
– A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate num-ber of personal data records affected;
– the name and contact details of the data protection officer or other point of contact for further information;
– a description of the likely consequences of the personal data breach;
– A description of the measures taken or proposed by yawave to address the personal data breach and, if applicable, measures to mitigate its potential adverse effects
17 Significant disruptions in the execution of the order as well as violations of data protection regulations or the provisions of this contract by yawave or its employees must also be reported immediately.
18 yawave shall inform the customer without delay of controls or measures by supervisory authorities or other third parties, insofar as these relate to the commissioned processing.
19 yawave assures to support the customer in his obligations to the necessary extent.
20 If the customer is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, yawave undertakes to support the customer to the extent necessary insofar as the processing on behalf is concerned.
21 Information to third parties or the person concerned may yawave only with the prior consent of the customer. Requests addressed directly to him yawave will forward to the customer.
22 yawave appoints a competent and reliable person as data protection officer. In case of doubt, the customer may contact the data protection officer directly. Changes in the person or the internal tasks of the representative will be communicated to the customer by yawave.
23 As a matter of principle, the commissioned processing shall take place within Switzerland, the EU or the EEA. If personal data processed under this Agreement is transferred from a country within the EEA, including Switzerland, to a country outside the EEA, including Switzerland, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses with the necessary adjustments according to Swiss data protection law for the transfer of personal data.
24 The customer alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
25 Customer specifically agrees that it is solely responsible for:
– the accuracy, quality and lawfulness of customer data and the means by which it obtains personal data;
– compliance with all requirements for lawfulness and transparency under applicable data protection law with respect to the collection and use of personal data, including obtaining any necessary consents and authorizations (in particular when used for marketing purposes by the customer);
– warranting that it is entitled to transfer or give yawave access to the personal data for the purpose of processing in accordance with the provisions of the Agreement (including these DPA);
– ensuring that instructions to yawave regarding the processing of personal data comply with applicable laws, including data protection law; and
– Comply with all applicable laws (including applicable privacy laws) regarding emails or other content created, sent or maintained through the Subscription Services, including laws regarding obtaining consent (if required) to send emails, email content and email sending practices.
26 The customer shall notify yawave immediately if it is unable to comply with its obligations under this section or applicable data protection law.
27 The Parties agree that the Agreement (including this DPA) and the Customer’s use of the Subscription Service in accordance with the Agreement constitute the Customer’s complete and final instructions to yawave regarding the processing of personal data and that additional instructions beyond the instructions are valid only if agreed in advance in writing between the Parties.
28 The Customer shall independently verify whether the data security provided as part of the Subscription Service adequately complies with its obligations under applicable data protection law. He is also responsible for the secure use of the Subscription Service, including ensuring security in the transmission of personal data in connection with the Subscription Service.
29 The customer is entitled to control the compliance with the regulations on data protection and the contractual agreements at yawave to a reasonable extent himself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site controls (according to clause 5.7).
30 Inspections at yawave have to be carried out without avoidable disruptions of its business operations. Unless otherwise indicated for urgent reasons to be documented by the customer, controls shall take place after reasonable advance notice and during yawave’s business hours, and not more frequently than every 12 months. As far as yawave provides evidence of the correct implementation of the agreed data protection obligations as provided for in chapter 5 of this contract, any control shall be limited to random samples.
31 yawave shall implement appropriate technical and organizational measures in such a way that the processing is carried out in compliance with the requirements of the FADP and the GDPR and the protection of the rights of the data subject is ensured. yawave shall design its internal organization in such a way that it meets the specific requirements of data protection and an appropriate level of protection is achieved. In particular, yawave ensures appropriate security of processing, especially confidentiality (including pseudonymization and encryption), availability, integrity, and resilience of the systems and services used for data processing, taking into account the respective state of the art. The technical and organizational measures are described in detail in Appendix 1.
32 The technical and organizational measures may be adapted to further technical development in the course of the contractual relationship. In doing so, the adapted measures must at least correspond to the security level of the measures agreed in Annex 1.
33 yawave ensures that the data processed on behalf of the customer is strictly separated from other data.
34 Copies or duplicates will not be made without the knowledge of the customer. Technically necessary, temporary duplications are excluded, as far as an impairment of the data protection level agreed upon here is excluded.
35 Upon the customer’s written request, yawave will provide the customer with all necessary information to prove the obligations regulated in this DPA, in the FADP and the GDPR. In particular, yawave will provide the customer with written information about the stored data and the data processing programs. The customer may exercise this right no more than once per calendar year.
36 yawave agrees that the customer – in principle by appointment – is entitled to control the compliance with the obligations under this contract and from Article 28 GDPR itself or by third parties commissioned by the customer. The customer must pay for the additional expenses incurred. yawave is entitled to refuse inspections by third parties, if they are in a competitive relationship with him or there are similar weighty reasons.
37 Upon request, yawave shall provide the customer with suitable evidence of compliance. This evidence can be provided by the provision of documents and certificates that reflect approved codes of conduct or approved certification procedures.
38 The contact person for data protection issues is Jari Honka, [email protected].
39 The Subscription Service provides a number of features that allow Customer to access, enhance, delete, or restrict access to Personal Data. Customer may use these features to comply with its obligations under data protection law, including its obligations with respect to responding to requests from data subjects who wish to assert their rights under applicable data protection law (“Data Subject Requests”).
40 To the extent that Customer is unable to comply with a Data Subject’s request through the Subscription Service on its own, yawave will, upon written request, provide reasonable assistance to comply with any requests from Data Subjects or requests from data protection authorities in connection with the processing of Personal Data pursuant to the Agreement. Customer will reimburse yawave for commercially reasonable costs incurred as a result of such assistance.
41 If an inquiry or other communication from a data subject regarding the processing of personal data under the Agreement is addressed directly to yawave, yawave shall promptly notify the Customer thereof and inform the data subject that it must address its inquiry to the Customer. The effective response to inquiries or communications from data subjects regarding personal data is the sole responsibility of the customer.
42 yawave will only correct, delete or block data processed within the framework of the DPA in accordance with the contractual agreement reached (yawave GTC) or in accordance with the customer’s instructions. The corresponding instructions of the customer will be followed by yawave even after the termination of this contract.
7. SUBCONTRACTING RELATIONSHIPS
43 Third parties contracted by yawave to process data (such as for data center services or payment processing) may only use personal data within the scope of the order placed by yawave and not for their own purposes (yawave GTC section 58).
44 yawave carefully selects its subcontractors, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.
45 At present, the subcontractors designated in Annex 2 with name, address and order content are engaged in the processing of personal data to the extent specified therein and approved by the customer. The other obligations of yawave towards subcontractors set forth herein shall remain unaffected.
46 yawave shall contractually ensure that the regulations agreed in this contract also apply to subcontractors. The contract of yawave with the subcontractor must be concluded in writing or in electronic format.
47 A commissioning of subcontractors in third countries only takes place if the special requirements of Art. 16 FADP and Art. 44 et seq. GDPR are fulfilled.
8. GENERAL REGULATIONS
48 yawave reserves the right to update and change this DPA.
49 If individual provisions of these GTC are judged to be invalid or unenforceable, this shall not affect the validity of the remaining provisions of these GTC.
APPENDIX 1: SAFETY MEASURES
This annex is part of the DPA.
We currently follow the security procedures described in Appendix 1.
a) Access control
i) Protection against unauthorized product access
Outsourced processing: We host our service through outsourced cloud infrastructure providers. In addition, we maintain contractual relationships with third-party providers to provide the Service in accordance with our DPA. We maintain contractual agreements, privacy policies, and vendor compliance programs to protect the data processed or stored by those vendors.
Physical Protection and Environmental Security: We host our product infrastructure through multi-tenant, outsourced infrastructure operators. Physical protection and environmental security controls are reviewed for compliance with SOC 2 Type II, ISO 27001, and other certifications.
Authentication: We are introducing a uniform password policy for our customer products. Customers interacting with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multitenant storage systems that customers can access exclusively via application user interfaces and programming interfaces. Customers do not have authorization to directly access the underlying application infrastructure. Authorization models in all of our products are designed to ensure that only appropriately assigned individuals have access to key features, views, and customization options. Authorization for data sets is done by matching the usage permission with the attributes of each data set.
Access to application programming interfaces (API): Access to public product API is done using either an API key or OAuth authorization.
ii) Protection against unauthorized product use
We implement industry-standard network access controls and threat detection capabilities for the internal networks on which our products are based.
Access Controls: Network access control mechanisms have been developed to prevent such network traffic from reaching the product infrastructure that uses unauthorized protocols. The technical measures used vary by infrastructure operator and include virtual private cloud (VPC) implementations, security group assignments, and traditional firewall rules.
Static code analysis: The code stored in our source code repository is compared with programming best practices during security audits and checked for software errors.
Penetration testing: We work with industry-recognized penetration testing vendors and perform X penetration tests per year. The goal of penetration testing is to identify and remediate predictable attack vectors and potential misuse scenarios.
iii) Restricted access rights and authorization requirements
Product access: A group of our employees has access to the products and customer data via controlled interfaces. This access by a group of employees is used to provide efficient customer service, faster problem resolution, and timely detection of security incidents. All requests of this nature are logged. Employees are granted access based on their role.
Policies: All yawave employees are required to comply with all company policies, confidentiality obligations, and ethical requirements.
b) Transmission control
While Stored: We store user passwords according to policies that meet industry standard practices for security. We have implemented technologies that ensure encryption of stored data at rest
c) Input control
Detection: Our infrastructure is designed to log comprehensive information about system behavior, traffic received, system authentications, and other application requests. Our staff, including security, operations, and support personnel, are trained to respond to known incidents.
d) Availability control
Infrastructure Availability: Infrastructure operators shall make commercially reasonable efforts to ensure at least 99.5% uptime. Operators shall maintain the minimum of N+1 redundancy for power, network and air conditioning.
Fault tolerance: Backup copies of customer data are created in multiple persistent data stores and replicated across multiple availability zones.
Our products are designed to provide redundancy and seamless failover. The product-supporting server instances were designed with the goal of avoiding single points of failure. This design helps us maintain and update our product applications and back-end operations, and it limits downtime.
ANNEX 2: LIST OF SUBPROCESSORS
This annex is part of the DPA.
yawave cooperates in data processing with the following subcontractors:
Company | Address | Country | Type of Service |
Interspark Inc | Interspark Inc PO Box 1224 Bentonville, AR 72712 US |
USA | DevOps und Server Monitoring auf der GCP in Zürich |
ESGroup Poland sp. z o.o. | ESGroup Poland sp. z o.o. Podole 60 30-394 Krakow, Poland |
Poland | 3rd Level Application Support |
Google Switzerland GmbH | Brandschenkestrasse 110, 8002 Zürich, Switzerland | Switzerland | Cloud Provider |