A signed copy of the following order processing agreement can be requested via email@example.com.
Managing Director: Sebastian Timm
- Contractor -
This Agreement on Commissioned Processing ("Agreement") specifies the obligations of the Contracting Parties regarding data protection and commissioned processing for platform-based Finui Services (Finui Software), which are provided as commissioned processing within the meaning of Art. 28 DSGVO. The Finui Software on which the commissioned processing is based are each governed by the usage agreement ("Usage Agreement"), the service description if applicable and the general terms and conditions of the contractor ("GTC"). It shall apply to all processing of personal data ("Data") in the context of the use of the Finui Software.
§ 1 Subject matter, duration and specification of the commissioned processing
(1) The Contractor shall process personal data on behalf of the Customer. Within the scope of this Agreement, the Customer shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor as well as for the lawfulness of the data processing ("Controller" within the meaning of Art. 4 No. 7 DSGVO).
(2) The scope of services agreed in the User Agreement represents the final instructions of the Customer (with regard to data processing) at the time of the conclusion of this Agreement. In addition, the Customer may issue individual instructions. Such instructions shall be transmitted to the Contractor in an electronic format (text form) and shall also be confirmed by the Contractor in an electronic format (text form).
(1) The Contractor may only process data of data subjects within the scope of the order and the Client's instructions, unless an exceptional case within the meaning of Article 28 (3) a) DSGVO exists. The Contractor shall inform the Client without undue delay if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.
(2) The Contractor shall organize the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. He shall take technical and organizational measures for the adequate protection of the Customer's data that meet the requirements of the General Data Protection Regulation (Art. 32 DSGVO). The Contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the Processing on a permanent basis. The Customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. The Contractor shall provide the Customer with documentation of the measures currently implemented in Annex 1.
(3) The Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 of the GDPR.
(4) The Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the scope of the instruction. Furthermore, the Contractor warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/confidentiality obligation shall continue to exist after termination of the order.
(5) The Contractor shall inform the Customer without undue delay if it becomes aware of any violations of the protection of personal data of the Customer. The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned and shall consult with the Client on this without delay.
(6) The Contractor shall name to the Customer the contact persons for data protection issues arising within the scope of the contract.
(7) The Contractor warrants to comply with its obligations under Article 32(1)(d) of the GDPR to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing.
(8) The Contractor shall correct or delete the data that is the subject of the contract if the Client instructs it to do so and this is covered by the scope of instructions. If a deletion in compliance with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in compliance with data protection on the basis of an individual order by the Customer or shall return these data carriers to the Customer, unless already agreed in the contract.
In special cases to be determined by the client, storage or handover shall take place. Remuneration and protective measures for this are to be agreed separately, unless already agreed in the contract.
(9) Data carriers and all other materials shall be surrendered at the request of the Customer after the end of the order. The Contractor shall delete all stored data of the Customer no later than three months after the end of the order.
(10) In the event of a claim against the Client by a data subject with regard to any claims under Art. 82 of the GDPR, the Contractor undertakes to support the Client in defending the claim to the extent possible.
(1) The Customer shall inform the Contractor immediately and in full if it discovers errors or irregularities in the order results with regard to data protection provisions.
(2) In the event of a claim against the Client by a data subject with regard to any claims pursuant to Art. 82 of the GDPR, Section 3 (10) shall apply accordingly.
(3) The Customer shall inform the Contractor of the contact person for data protection issues arising within the scope of the contract.
(1) If a data subject approaches the Contractor with requests for correction deletion or information, the Contractor shall refer the data subject to the Client, provided that an assignment to the Client is possible according to the data subject's information.
(2) The Contractor shall immediately forward the request of the data subject to the Client.
(3) The Contractor shall support the Client within the scope of its possibilities upon instruction, as far as agreed.
(4) The Contractor shall not be liable if the request of the data subject is not answered, not answered correctly or not answered in time by the Client.
(1) The Contractor shall prove to the Customer compliance with the obligations set forth in this Agreement by appropriate means.
(2) If, in individual cases, inspections by the Customer or an inspector commissioned by the Customer are necessary, these shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make such inspections dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organizational measures that have been set up. If the auditor commissioned by the Client is in a competitive relationship with the Contractor, the Contractor shall have a right of objection against the auditor.
The Contractor may demand remuneration for assistance in carrying out an inspection. The scope of an inspection and the remuneration to be paid for it shall be agreed in writing in advance.
(3) Should a data protection supervisory authority or another sovereign supervisory authority of the Customer carry out an inspection, Paragraph 2 shall apply accordingly in principle. It shall not be necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality where a violation is punishable under the German Criminal Code.
(1) Subcontractors within the meaning of this Agreement are third parties directly and immediately involved in the provision of the scope of services agreed with the Customer for Finui Software on behalf of the Contractor. Related ancillary services of the Contractor, such as the operation of a customer database, room maintenance, the operation of IT infrastructures, printing and mailing services are not covered by this. The Contractor's obligation to ensure data protection and data security remains unaffected by this and arises as the responsible party within the meaning of Art. 4 No. 7 DSGVO.
(2) Subcontractors in third countries may only be engaged if the special requirements of Art. 44 et seq. GDPR are met (e.g., adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
(3) The commissioning of subcontractors for the processing or use of the Client's data is generally only permitted with the Client's approval.
(4) The Contractor shall provide the Customer with a list of all subcontractors in Annex 2.
(5) Approval for the commissioning of additional contract processors at the time of signing shall be deemed to have been granted on the basis of the documentation from Paragraph 4.
(6) Furthermore, the Customer shall grant the Contractor general permission to involve further subcontractors, taking into account para. 2. The Contractor shall inform the Customer by active notification in text form (e.g. by e-mail) if it intends to involve further subcontractors. The Customer may object to this only if there is an important reason under data protection law. The objection must be declared in text form to the Customer within 14 days of the Contractor's active announcement. In the event of an objection, it shall be at the discretion of the Contractor to provide the service owed without adding the subcontractor in question or to terminate the underlying usage agreement in part or in full if the intended change is not reasonable for the Contractor.
(7) The Contractor shall contractually obligate each subcontractor in the same manner as the Contractor is obligated to the Client under this Agreement.
(8) The transfer of personal data of the Customer to the subcontractor and its first activity shall be permitted only after all requirements for subcontracting have been met.
(1) Should the Customer's data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the "responsible person" within the meaning of the General Data Protection Regulation.
(2) Amendments and supplements to this Agreement and all of its components - including any warranties of the Contractor - shall require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to the waiver of this formal requirement.
(3) In the event of any contradictions, the provisions of this agreement on data protection shall take precedence over the provisions of the user agreement. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.
(4) German law shall apply.
The Client and the Contractor shall be liable vis-à-vis data subjects in accordance with the provision set out in Art. 82 GDPR.
The Controller has taken the following technical and organizational measures to achieve the level of protection for data processing (in particular with regard to confidentiality, integrity, availability and resilience of the systems as well as the regular review of the measures), in accordance with the data protection regulations, in particular Article 32 of the General Data Protection Regulation (GDPR).
This document has been prepared in accordance with the legal requirements and is intended to provide a general description to enable a preliminary check to be made as to whether the data security measures taken are appropriate for the aspects described below.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risk in terms of likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, the following, as appropriate:
The requirements are mapped and documented in the following categories of TOMs:
The scope of this document is based on the respective license agreement and covers the operational processing and infrastructures in connection with the development and operation of the Finui Software. The Finui Software is operated in the cloud infrastructure of the provider Amazon Web Services (AWS).
In addition, Finui uses further processors who carry out processing of personal data on behalf of Finui in accordance with instructions on the basis of agreed contracts for commissioned processing (Art. 28 DSGVO).
For the sake of transparency and clarity, this document includes the description of the technical and organizational measures at the core infrastructure level. Reference is made to the following documents as central evidence for the TOM documentation of these providers:
Amazon Web Services (AWS):
Description of the individual measures
Procedures for regular review, assessment and evaluation / Overarching organizational measures
Guidelines and directives for the implementation of data protection requirements are available and approved within the company.
The employed and freelance staff, external service providers or subcontractors are bound to data secrecy.
All data center sites have implemented risk management systems and site-specific security operations centers.
Access control (physical)
Access to data processing facilities is organizationally regulated and technically secured or controlled (e.g., with fences, gatekeepers, electronic access controls).
Physical access points to server rooms are monitored by video cameras. Recordings are retained in accordance with regulatory and compliance requirements.
The rooms with data processing equipment are monitored outside the closing hours by alarm systems with connection to police/fire department/guard service (24/7) /central office/doorman.
Access control (system)
Access to the host's management console is secured with multi-factor authentication.
Use of passwords and defined password rules.
Existence of rules and procedures for creating, modifying, deleting authorization profiles or user roles.
Data carriers are encrypted according to current industry standards (here: AES-256).
Every server system is equipped with a host-based attack detection system. This monitors at least parameters such as conspicuous system log entries, signatures of known rootkits and Trojans, conspicuities in the device file system, or bruteforce attacks.
All read, input, change and delete transactions are logged (user ID, transaction details) and archived in an audit-proof manner for at least 6 months
Access control (hardware, terminals)
Accesses that allow access to personal data are always made via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols.
Access protection to all data processing systems through user authentication
Roles and permissions are assigned on a per-user basis and reviewed regularly.
Implementation of complex passwords
- Minimum length 8 characters
- Defined number of 3 failed attempts leads to access blocking.
End devices are locked 5 minutes after last entry and can only be unlocked again with user authentication data.
Ensuring the integrity of data during transport by calculating checksums.
Data transfers between clients and servers are encrypted.
A transfer of personal data, which takes place on behalf of the client, may only take place to the extent of the instructions and as far as this is necessary for the provision of the contractual services for the client. In particular, the disclosure of personal data from the order to unauthorized third parties, e.g. by storage in another cloud storage, is not permitted.
Significant system activities are logged (min. user ID, rights according to role concept, IP address, system components or resources, type of activities performed, and time stamp) and currently retained for up to 30 days. This includes in particular the entry, modification and deletion of data, users and authorizations, as well as changes to system settings. Upon request and/or in the event of concrete suspicion, a corresponding evaluation of the logs can be carried out.
The separate processing and storage of data from different clients is ensured by logical client separation based on a multi-tenancy architecture. Data is assigned and identified by assigning a unique identifier to each client (e.g., customer number/company ID).
Test/development and productive environments are separated from each other. Testing and development takes place with completely anonymized test data.
Depending on the technical possibilities, the networks are separated physically or by means of virtual networks.
The following networks are used permanently: operating environment ("production"), test environment ("staging"), office IT employees, office IT guests. Additional networks are created as required.
To ensure adequate availability, a backup concept for the database with the client's data stored on it and the storage medium with corresponding stored documents has been implemented in accordance with the state of the art.
Regular full restore tests are performed to ensure recoverability in the event of an emergency/disaster.
The data center has business continuity management to maintain and restore operations during emergencies.
To ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, it is ensured that corresponding specifications of spatial separation are guaranteed with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centers at a sufficient distance or data centers of different availability zones
A capacity management system including monitoring and automatic notification of the responsible employees at Finui in the event of capacity bottlenecks has been implemented.
An alert system is in place to monitor the accessibility and status of the server systems. In the event of failures, the infrastructure department is automatically notified in order to take immediate action to rectify the problem.
A concept and documented procedures exist for dealing with disruptions and security-relevant events ("incidents"). This includes, in particular, the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security-relevant events, and the definition of corresponding responsibilities and reporting channels in the event of a breach of the protection of personal data within the framework of the legal requirements.
Other measures to ensure availability in the data centers are in use, such as: automatic fire detection and suppression, smoke sensors, temperature control in the entire data center environment, redundant power supply systems, uninterruptible power supply (UPS), generators that can supply the entire facility with emergency power. Preventive maintenance is performed to ensure the continued operation of the facilities.
Involved service providers are reviewed on a risk basis before the start of the outsourced activities and during the provision of services.
Regular internal audits on data privacy and information security are carried out while ensuring the independence of the auditor (e.g., from another area or externally).
410 Terry Avenue NorthSeattle, WA 98109, USA
Cloud infrastructure, hosting of the servers to run the software, exclusively European server locations.
Lübeckweg 29723 HE GroningenThe Netherlands
Automatic text recognition of invoices
The Atrium Building
Block B, Carmanhall Road
Sandyford Business Estate
Dublin 18, Ireland
E-mail system, data storage, exclusively European server locations
Köpenicker Straße 126, 10179 Berlin
Sending transactional emails
20 Farringdon RoadECIM 3HE, United Kingdom
System access and identification management
Karwendelring 2586956 Schongau, Deutschland
Tax office interface for sales tax reporting