Order processing agreement (DPA)

Version; April 2023.
Subject to change at any time.

Preamble
This Data Processing Agreement (hereinafter "DPA") specifies the obligations regarding data protection arising from the contractual relationship between ASMIQ I/O AG (hereinafter "Provider") and its customers (hereinafter "Client"). The contractual relationship between the parties is based on the General Terms and Conditions of Business (hereinafter "GTC") and the Privacy Policy (hereinafter "DPA"), which therefore form an integral part of the DPA. The DPA shall apply to all activities arising from the contractual relationship between the Parties in which employees of the Provider or third parties commissioned by the Provider process personal data (hereinafter "Data") of the Client. The Client can contact the Provider's data protection officer at datenschutz@old.asmiq.io for all data protection issues that may arise.

  1. Subject matter, duration and specification of the order processing
    1.1 The subject matter and duration of the order as well as the type and purpose of the processing are generally set out in the GTC, unless the following provisions contain additional obligations.
    1.2 Annex A to the DPA specifies the subject matter, nature and purpose of the commissioned processing.
  2. Scope of application and responsibility
    2.1 The Provider processes personal data on behalf of the Client. This includes activities that are specified in the GTC, the DSE, in Annex A of the GCU and in the current service description on the Provider's website.
    2.2 Within the framework of the contractual relationship, the client shall be solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of data transfer to the provider and for the lawfulness of data processing.
  3. Obligations of the provider
    3.1 The Provider processes data of data subjects only within the scope of the contractual relationship in accordance with the GTC, the DSE and this DPA, unless there is a legally regulated exception.
    3.2 The Provider shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take technical and organizational measures for the appropriate protection of the Client's data that meet the respective legal requirements. In particular, these shall ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. The client is aware of these technical and organizational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.
    3.3 The measures taken by the Provider are specified in Annex B. The technical and organizational measures are subject to technical progress and further development. In this respect, the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level contractually agreed with this GCU may not be undercut.
    3.4 If agreed, the Provider shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects under data protection law and in complying with data protection obligations. In accordance with the GTC, the Provider is entitled to charge a fee for this.
    3.5 The employees involved in the processing of the Client's data and other third parties working for the Provider shall process the data exclusively within the framework of the contractual relationship in accordance with the GTC, the DSE and this DPA and are obliged to maintain confidentiality.
    3.6 If the Provider becomes aware of a breach of the protection of personal data, it shall take reasonable measures to secure the data and to minimize any possible adverse consequences for the persons concerned. In addition, the Provider shall fully comply with the applicable statutory provisions regarding the reporting of data breaches.
    3.7 The Provider fully complies with the applicable data protection provisions and regularly reviews the effectiveness of the technical and organizational measures to ensure the security of the processing.
    3.8 The Provider shall process and store personal data for as long as the contractual relationship between the Provider and the Client exists. The Provider shall correct or delete the contractual data if instructed to do so by the Client and if this is covered by the scope of the instructions. This does not apply to data that is required for further processing due to legal regulations or for mandatory internal purposes. The release of the data and the corresponding remuneration is regulated in the GTC.
  4. Obligations of the client
    4.1 The Client must inform the Provider immediately and in full in writing or via the web-based help center (ticket system) if it discovers errors or irregularities in the results of the order with regard to data protection regulations.
    4.2 The Client shall inform the Provider of the contact person for data protection issues arising in the context of the contractual relationship, if this differs from the contact person named.
    4.3 The customer declares that he bears sole responsibility for informing the persons affected by the data processing regarding the possible storage and use of data,
    -The Provider shall process and forward the data in accordance with the provisions of the GTC, the DSE and this DPA. If individual data subjects do not agree with the intended data processing, the client is responsible for requesting the deletion of the respective data via the web-based help center (ticket system).
    4.4 By accepting the GTC and the DSE, the Client expressly declares its consent to the forwarding of its data to the Provider's parent company and affiliated companies. The Client releases the Provider from any possible claims. Obtaining the consent of the persons concerned is the responsibility of the Client.
  5. Inquiries from affected persons
    5.1 If a data subject contacts the Provider with requests for rectification, erasure or information, the Provider shall refer the data subject to the Client, provided that the data subject can be assigned to the Client according to the information provided by the data subject. The Provider shall forward the data subject's request to the Client within a reasonable period of time. The Provider may support the Client in the event of data protection claims by a data subject within the scope of its possibilities. In this case, the Provider is entitled to demand compensation for expenses. The Provider shall not be liable if the request of the data subject is not answered by the Client, is not answered correctly or is not answered on time.
  6. Verification options
    6.1 The Provider shall provide the Client with evidence of compliance with the obligations set out in this Annex by suitable means. This shall take the form of a self-audit and/or ISO certification.
    6.2 Should inspections by the Client or an auditor commissioned by the Client be necessary in individual cases (e.g. due to the GDPR), these shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Provider may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures in place. If the auditor commissioned by the Client is in a competitive relationship with the Provider, the Provider may reject the auditor and propose a neutral person. The Provider may charge the Client for any costs associated with the audit, in particular if no irregularities are found.
    6.3 Should a data protection supervisory authority or another sovereign supervisory authority of the client carry out an inspection, Section 6.2 shall apply accordingly. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to a professional or statutory confidentiality obligation where a breach is punishable under the German Criminal Code.
  7. Subcontractors (other processors)
    7.1 The Provider may engage subcontractors to fulfill the contractual service. The commissioning of subcontractors as processors by the Provider is permitted, provided that they in turn fulfill the requirements of this DPA within the scope of the subcontract. The Provider shall enter into agreements with the subcontractors to the extent necessary to ensure appropriate data protection and information security measures. Subcontractors who do not have access to customer data or do not process personal data as processors are excluded from this chapter.
  8. Duty to inform
    8.1 Should the Client's data at the Provider be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Provider shall inform the Client of this immediately. The Provider shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client.
  9. Liability
    9.1 Liability shall be governed by the corresponding provisions in the GTC.
  10. Miscellaneous
    10.1 In all other respects, the provisions of the GTC and DSE shall apply. In the event of any contradictions between the DPA and the GTC, the provisions in the GTC shall take precedence. Should individual parts of the DPA be invalid, this shall not affect the validity of the GTC and the remaining provisions of the DPA. Appendices A and B are an integral part of the GCU.

ASMIQ I/O AG
Baslerstrasse 60
8048 Zurich

Appendix A Object, nature and purpose
Appendix B Technical and organizational measures (TOM)

  1. Appendix A - Subject matter, nature and purpose
Object of the order:Processing of the client's personal data as part of its use of the provider's services as Software as a Service.
Nature and purpose of the intended processing of data:The personal data processed by the client is transferred to the provider as part of the Software as a Service services. The provider processes this data exclusively in accordance with the GTC and the corresponding service description on the provider's website (order management, contact management (CRM), accounting, e-banking, payroll accounting, warehouse management, project management, etc.).
Type of personal data:The types of data depend on the data transmitted by the client. These are in particular (depending on the order):
● Personal master data (name, date of birth, address, employer) including contact details (e.g. telephone, e-mail)
● Contract data, including billing and payment data
● History of the contract data
Categories of data subjects:The categories of data subjects depend on the data transmitted by the client. These are in particular (depending on the order):
● Employees (including applicants and former employees) of the client
● Customers of the client
● Interested parties of the client
● Service provider of the client
● Contact details for contact persons
Deletion, blocking and correction of data:Requests for deletion, blocking and correction must be addressed to the client; otherwise, the provisions of the GTC, the DSE and this DPA apply.


Appendix B - Technical and organizational measures (TOM)

  1. Confidentiality
    1.1. Access control
    1.1.1 Physical measures
    - Construction planning according to SIA standard

1.1.2 Technical measures
- Intruder alarm system (where fitted)
- Fire alarm system
- Spot video surveillance
- (Electronic) access control system

1.1.3 Organizational measures
- Reception
- Logging of visitors
- Careful selection of personnel

1.2 Access control
1.2.1 Technical measures
- Use of firewalls
- Anti-malware software
- Login via user ID and password
- Remote access via VPN and/or MFA (hardware token, app or SMS (mTAN))
- Forced password change according to IT specifications
- Printer with authentication function (where appropriate)

1.2.2 Organizational measures
- Default password selection

1.3 Access control / input control
1.3.1 Technical measures
- Assignment of each account to a unique identity
- Physical destruction of data carriers
- Non-reversible deletion of data carriers

1.3.2 Organizational measures
- Specification of Clean Desk Policy (where appropriate)
- Specification for file and data carrier destruction (where appropriate)

1.4 Separation control
1.4.1 Technical measures
- Use of firewalls
- Separation of production, integration and test environments
- Logical separation of clients (multi-client capability)

1.4.2 Organizational measures
- Authorization concepts (users/ administrators/ super users)

  1. Integrity
    2.1 Transfer control
    2.1.1 Technical measures
  • Use of VPN
  • Secure data transport (SSL/TLS, SFTP (FTP over SSH))
  • WLAN authentication

2.1.2 Organizational measures

  • Documentation of the data recipients and the duration of the planned transfer or deletion periods (web transfer "rumplet")
  • Careful selection of personnel and vehicles
  • Default remote access/remote maintenance
  1. Availability (and resilience)
    3.1 Availability control
    3.1.1 Technical measures
  • Redundant data centers
  • UPS system/diesel unit
  • Regular full and incremental backups
  • Offline backups (locally separated data storage)
  • Regular recovery tests
  • Regular security checks at infrastructure and application level
  • Building automation: monitoring of server rooms (temperature, humidity, smoke)
  • Protection against overvoltage
  • Alarm-protected server room (alarm in the event of unauthorized access/open door)

3.1.2 Organizational measures

  • Security process for software and IT applications
  • Comprehensive backup and recovery process (online/offline; on-site/off-site)
  • Emergency plan (technical, organizational)
  • Standard processes for employee changes / departures
  1. Procedures for regular review, assessment and evaluation
    4.1 Data protection management
    ASMIQ attaches great importance to the responsible and legally compliant handling of personal data when providing services to its customers. ASMIQ ensures that data is handled with great care and in accordance with the relevant legal provisions of data protection law.

4.1.1 Technical measures

  • Documentation on data protection for employees (intranet)
  • Periodic review of the effectiveness of the technical protective measures
  • Data protection management with supporting tool solutions (interface management, processing directories, etc.)

4.1.2 Organizational measures

  • Appointment of data protection officer(s)
  • Obligation of employees to maintain confidentiality
  • Guarantee of information obligations
  • Process for handling requests for information and other rights of data subjects

4.2 Incident response management
4.2.1 Technical measures Prerequisite:

  • Incident Response Toolkit
  • Anti-phishing services
  • DDoS protection

4.2.2 Organizational measures

  • Reporting process for data breaches
  • Involvement of data protection officers in security incidents and data breaches
  • Involvement of information security officers in security incidents and data breaches
  • Defined role of operations in crisis management

4.3 Privacy and security by design
4.3.1 Technical measures

  • Application of different security tools in the context of software development
  • Security health checks for self-developed software

4.3.2 Organizational measures

  • Recommendations of technical measures for secure software development
  • Deployment of security champions (security-savvy employees with in-depth knowledge of information security and/or data protection)
  • Opportunity for further training in software development
  1. Supplier Security Management Program
    ASMIQ attaches great importance to working securely and in partnership with its service providers because ASMIQ wants to make a contribution to digital trust and strengthen customer confidence in its products. ASMIQ sees trusting and personal contact with highly critical service providers as the key to secure, resilient collaboration in an increasingly risk-laden digital ecosystem. ASMIQ sees reports, assessments and professional exchanges with service providers as added value for the benefit of its service providers. ASMIQ believes that this contributes to the optimization of digital security in the interests of all customers.
  2. Software development
    ASMIQ bases its software development on international best practices and has established a minimum security setup for each project. Depending on the criticality of the services or products operated, further comprehensive security tests are carried out on a risk basis.

ASMIQ uses the following methods for secure software development:

  • Secure code review with the aim of identifying errors, defects and incompatibilities with requirements or security vulnerabilities as well as improving knowledge management.
  • Static Application Security Testing (SAST) for checking source code, binary files and bytecode with coverage of most programming languages (white box tool)
  • Dynamic Application Security Testing Tool (DAST) for detecting conditions that indicate security vulnerabilities in a running application with in-depth testing for input and output vulnerabilities (black box tool)
  • Interactive Application Security Testing Tool (IAST) as an agent for testing the data flow for accessing static code
  • Software Composition Analysis (SCA) for analyzing the software composition of open source software including transitive dependencies and for managing licenses (FOSS)

ASMIQ uses the following tools, among others, for software development:

  • Git/ Bitbucket (Code Review)
  • Sonar (SAST)
  • Fortify (SAST)
  • Seeker (IAST)
  • XRay (SCA)
Nach oben scrollen