Data Processing Agreement in accordance with Art. 28 GDPR

  1. Validity and definitions

    1. This Data Processing Agreement ("DPA") supplements Oxolo's General Terms and Conditions (“GTC”) for the use of the himala software. This DPA does not apply to natural persons who use himala exclusively for the exercise of personal or family activities within the meaning of Art. 2 (2) lit. c GDPR. 

    2. In the event of a conflict between this DPA and Oxolo's GTC, this DPA shall take precedence.

    3. Terms used in this DPA and their variations correspond to those used in Oxolo's GTC, unless otherwise or additionally regulated below. By way of derogation or addition, the following terms shall apply: 

      • "Client": Refers to the user within the meaning of the User Agreement. This is the natural or legal person who uses or wishes to use the himala software solution and any other services offered by Oxolo on the basis of the User Agreement.

      • "Contractor”: Refers to Oxolo within the meaning of the User Agreement, i.e. Oxolo GmbH, Bohnenstrasse 2, 20457 Hamburg.

      • "User Agreement": Refers to the contract concluded between the user (or Client) and Oxolo (or Contractor) for the use of the himala software. The content of the contract of use is set out in Oxolo's GTC.

      • "Parties": Joint designation for the Client and the Contractor.

      • "DPA": Designates this data processing agreement pursuant to Art. 28 GDPR and its annexes.

  2. Subject matter and duration of the order

    1. This DPA specifies the data protection obligations of the parties arising from the data processing that the Contractor carries out for the Client in accordance with the User Agreement. Subject matter of the agreement is the provision of the himala software solution and its functions. For a detailed description of the services to be provided by the Contractor, please refer to the License Agreement and Annex 1

    2. In addition, this DPA shall apply to all work activities that are related to the work activities in accordance with Annex 1 and in where employees of the Contractor or any third parties commissioned by the Contractor may come into contact with personal data of the Client.

    3. This DPA is concluded between the parties together with the User Agreement. The duration of this DPA corresponds to the term of the User Agreement. However, the obligations arising from this DPA shall continue to apply after termination of the User Agreement of use as long as the Contractor has not released, deleted or otherwise destroyed all of the Client's personal data in accordance with this DPA.

  3. Specification of the order details

    1. The nature and purpose of the processing of personal data by the Contractor for the Client are specifically described in Annex 1.

    2. The Contractor shall ensure compliance with all statutory provisions on data protection in its area of responsibility.

    3. The Contractor processes the Client's personal data in a member state of the European Union or a country belonging to the European Economic Area. A transfer to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled. In this case, the Contractor shall ensure that an adequate level of data protection is ensured in the third country by taking the necessary measures.

    4. The Client hereby agrees to the relocation of individual processing operations to the third countries listed in Annex 2. For an overview of how an adequate level of data protection is ensured in the respective third country, please refer to Annex 2.

    5. The subject of this data processing is the following types of personal data: Client input The Client's input includes all content and data that the Client enters into himala, uploads, makes available by releasing external data sources or otherwise transmits to Oxolo for processing in himala. The himala software is suitable for processing a wide variety of file formats and media (e.g. video, image, audio or text data). The type of personal data (if available as part of the input) is determined solely by the Client. Oxolo has no control over the type of personal data that is processed in himala. 

      Depending on the Client's selection, the data may therefore include the following types of personal data: 

      • Personal master data (e.g. name, contact details, place of residence, telephone number, nationality)

      • Video, image and audio material (e.g. photos, videos, audio recordings)

      • Communication data (e.g. chat, e-mail)

      • Documents (e.g. contract documents, receipts, invoices, notes, memos)

      • Table and register data (e.g. Excel tables)

      • Calendar entries (e.g. appointments)

      • Location data (e.g. information stored on maps)

      • Program code

      • Special categories of data

      • Company data (e.g. personnel data, presentations, concepts, strategies)

      • Financial figures (e.g. account statements, deposit statements)

      • Health data (e.g. medical reports, health apps, prescriptions)

      • Further input data of the Client

    6. The categories of data subjects affected by the processing: Persons who are identifiable in the Client's input.

      The selection of the categories of data subjects affected by the processing is made by the Client and depends on the respective input (see already § 3 No. 5 of the DPA). The categories of data subjects affected by the processing may include:

      • Client (if it is a natural person)

      • Business partner

      • Customers

      • Suppliers

      • Employees

      • Interested parties (e.g. website visitors, applicants, potential business partners)

      • Other contacts of the Client

      • Other persons identifiable in the Client's input data

  4. Technical and organizational measures

    1. The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the requirements of data protection law. To this end, it must establish the security of data processing in accordance with Art. 28 (3) lit. c, 32 GDPR, in particular in conjunction with Art. 5 (1), (2) GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account. The specific measures taken by the Contractor are set out in Annex 3 (Technical and Organizational Measures).

    2. As proof of the measures taken, the Contractor may also submit current certificates, reports or report extracts from independent bodies (e.g. auditors, data protection officers, IT security or data protection audits). In particular, compliance with approved codes of conduct in accordance with Art. 40 GDPR or an approved certification procedure in accordance with Art. 42 GDPR is suitable for demonstrating compliance with the requirements mentioned here. If an audit of the Client reveals a need for adjustment, this must be implemented by mutual agreement.

    3. The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.

  5. Authority of the Client to issue instructions

    1. The Contractor shall process personal data on behalf of the Client in accordance with the provisions of the User Agreement and Annex 1. The Contractor and any person under the authority of the Contractor who has access to personal data may only collect, process and use the data processed on behalf of the Client in accordance with documented instructions from the Client, including the powers granted in this DPA, unless they are legally obliged to process it (Art. 29 GDPR).

    2. The Client already now issues the instruction to process the Client's personal data (a) for the operation of himala and for the provision of the services in accordance with the User Agreement, (b) as further specified by the contractual use of himala by the Client, and (c) as documented in the User Agreement. Within the framework of the existing contractual relationship, the Client may also issue instructions in individual cases ("individual instructions") for the automated processing of personal data at any time. If the Client issues individual instructions that go beyond the legal requirements or the product-specific parameters of himala, the resulting costs shall be borne by the Client. The Contractor shall inform the Client of this circumstance as well as the amount of the costs likely to be incurred and shall only carry out the relevant individual instruction after express confirmation by the Client.

    3. The Contractor shall not use the data for any other purposes and is in particular not entitled to pass it on to third parties. Copies and duplicates of data shall not be made without the Client's knowledge. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as copies of data that are necessary in order to comply with statutory retention obligations.

    4. The Client shall confirm verbal instructions immediately (at least in text form).

    5. The Contractor must inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. If the Client confirms the instruction and instructs the Contractor to carry out this instruction despite the Client's concerns with regard to a possible illegality of the instruction, the Client shall indemnify the Contractor against all damages and costs incurred by the Contractor due to the implementation of this instruction if the instruction actually proves to be unlawful and claims should therefore be asserted against the Contractor or a fine should be imposed.

  6. Duties of the Contractor

    In addition to complying with the rules set out in this order, the Contractor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Contractor ensures, in particular, compliance with the following requirements:

    1. The Contractor shall maintain confidentiality in accordance with Art. 28 (3) sentence 2 b, 32 (4) GDPR. To this end, the Contractor shall entrust only such employees with the performance of services pursuant to the Service Agreement who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The confidentiality obligation shall continue to apply after termination of the work activities.

    2. The Client and the Contractor shall cooperate, on request, with the supervisory authority in performance of its tasks.

    3. The Contractor shall inform the Client without undue delay of any inspections and measures taken by the supervisory authority insofar as they relate to this order. This shall also apply if a competent authority investigates the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the Contractor.

    4. If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, liability claims by a data subject or a third party or any other claims in connection with the commissioned data processing by the Contractor, the Contractor shall provide the Client with reasonable support to the best of its ability.

  7. Rectification, restriction and erasure of data, rights of data subjects

    1. The Contractor may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.

    2. If a data subject contacts the Contractor directly concerning the rights referred to in paragraph 1 or for the purpose of exercising their other data subject rights, the Contractor shall forward this request to the Client without delay.

  8. Subcontracting

    1. Subcontracting for the purpose of this DPA is to be understood as meaning services which relate directly to the provision of the principal service under this DPA. This does not include ancillary services from which the Contractor benefits, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Contractor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.

    2. The Contractor may use the subcontractors listed in Annex 2 to provide the services. In addition, the Client shall grant the Contractor general approval for the future use of new subcontractors and/or the future change of existing subcontractors.

    3. The Contractor shall inform the Client of any intended change regarding the involvement or replacement of a subcontractor at least four (4) weeks before enabling this subcontractor to process the Client's personal data ("Notification Period"). The Client may object in writing to the appointment of the new subcontractor by the Contractor within the Notification Period, provided that this objection is based on objective grounds (e.g. in connection with data protection). In such a case, the parties shall discuss these concerns in good faith in order to find a solution. If the parties are unable to reach a solution within the notification period, the Client may terminate the contract of use without notice as its sole and exclusive remedy. If the Client does not exercise its right of objection, the change shall be deemed approved.

    4. The transfer of personal data of the Client to the subcontractor and the subcontractor's initial activities are only permitted once all requirements for subcontracting have been met, in particular a contractual agreement in accordance with Art. 28 (4) GDPR.

    5. If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure that the service is permissible under data protection law by taking appropriate measures. The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

    6. The Contractor shall be liable to the Client for data processing by the subcontractors engaged by it in the same way as for its own services under this DPA.

  9. Supervisory powers of the Client

    1. The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases, provided that these inspectors are not competitors of the Contractor. It shall have the right to satisfy itself of the Contractor's compliance with this DPA in its business operations during normal operating and business hours without disrupting operations by means of random checks, which must generally be notified in good time, but in the case of event-related checks at any time without prior notification. 

    2. The Contractor shall ensure that the Client is able to verify compliance with the obligations of the Contractor in accordance with Art. 28 GDPR Upon request, the Contractor undertakes to provide the Client with the information required to carry out an inspection and, in particular, to provide evidence of the implementation of the technical and organizational measures.

    3. Evidence of such measures, which do not only concern the specific order, can be provided by 

      • Compliance with approved codes of conduct pursuant to Art. 40 GDPR;

      • Certification according to an approved certification procedure pursuant to Art. 42 GDPR;

      • Current certificates, reports or reports from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors);

      • A suitable certification through an IT security or data protection audit (e.g. in accordance with BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)).

  10. Duties of the Contractor to provide support

    1. The Contractor shall support the Client with the compliance of its duties regarding the security of the processing of personal data, the obligation to notify a personal data breach, implementation of data protection impact assessments, and prior consultations (Article 32 to 36 GDPR). Support provided by the Contractor includes in particular:

      • a) Ensuring an adequate level of protection by implementing technical and organizational measures which consider context and purposes of the processing as well as the predicted probability and seriousness of a potential breach due to security gaps, and enable immediate de-termination of relevant breaches (§ 3 of this DPA);

      • b) The obligation to notify the Client immediately of any personal data breaches. Thus the Contractor shall inform the Client immediately and fully if an inspection of the order results demonstrates errors or irregularities of data protection relevance. Further, the Contractor shall promptly notify the Client of serious disruptions of the operational processes, of suspected violations of data privacy, and of other irregularities concerning the Client's data in connection with the processing of the Client's data. The Contractor shall implement all necessary and reasonable measures to secure the relevant data and to reduce any disadvantages of the Client;

      • c) The obligation to support the Client in its duty to notify the supervisory authority and, if applicable, the data subjects and to provide the Client with all relevant information in this context without undue delay;

      • d) The support of the Client in the context of any data protection impact assessment;

      • e) The support of the Client in the context of prior consultations with the supervisory authority;

      • f) The obligation to cooperate with the Client at the request of the competent supervisory authority in responding to this request and to provide the Client with appropriate support.

    2. The Contractor may claim remuneration for support services that are not included in the service description himala (see Annex 1) or are not attributable to misconduct on the part of the Contractor.

  11. Deletion and return of personal data or destruction

    1. After conclusion of the contracted work, or earlier upon request by the Client – at the latest upon completion of the services pursuant to the User Agreement – the Contractor shall hand over to the Client all documents, processing and utilization results, and data sets related to the contract that have come into its possession, or – subject to prior consent – destroy them resp. delete the data in a data-protection compliant manner, unless there are conflicting legitimate reasons in the meaning of Article 17 (3) GDPR. The same applies to any and all connected test, waste, redundant and discarded material. The Contractor is obliged to hold evidence of disclosure and erasure of personal data or destruction of data media and to submit such evidence to the Client on request.

    2. The Client shall determine the necessary measures to erase stored data after termination of the order. Insofar as additional costs arise from disclosure or erasure of the Client's data upon termination of the Agreement, they shall be borne by the Client.

    3. Documentation which is used to demonstrate orderly data processing in accordance with the order shall be stored beyond the contract duration by the Contractor in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Contractor of this contractual obligation.

  12. Liability of the parties

    1. The Contractor shall be liable for the fulfillment of its obligations under this DPA in accordance with the provisions of the User Agreement.

    2. The Client shall remain responsible to the data subject as the controller within the meaning of the GDPR (Art. 82 (1), (2) sentence 1 GDPR) for compensation for damages suffered by a data subject due to data processing by the Contractor that is inadmissible or incorrect under the GDPR or other data protection regulations. Insofar as the Client is obliged to pay damages to the data subject, it reserves the right to take recourse against the Contractor in accordance with Art. 82 (2) sentence 2 GDPR; otherwise, Art. 82 (3) to (6) GDPR shall apply.)

  13. Miscellaneous

    1. Any right to retention on part of the Contractor to the data processed under the Agreement pursuant to Section 273 BGB (German Civil Code) shall be excluded.

    2. Should the Client's data be endangered at the Contractor due to seizure or attachment, insolvency or composition proceedings, or any other events or measures by third parties, the Contractor shall inform the Client immediately. The Contractor shall promptly inform all parties responsible in this context that the Client as controller in the meaning of the GDPR exclusively holds control and ownership in these data.

    3. The following Annex shall form an integral part of this DPA:

      • Annex 1 - Service description himala

      • Annex 2 - Subcontractors

      • Annex 3 - Technical and organizational measures

Annex 1 - Service description himala

The Contractor shall provide the Client with the himala software with the following functions:

  1. Description of the service

    Himala is an advanced, digital AI assistant that helps users to efficiently organize, prioritize and automate personal and professional tasks. As a platform for intelligent support, himala integrates data from various sources such as calendars, emails, document management systems and communication platforms to seamlessly bring together relevant information.

    Himala works proactively and automatically identifies tasks, priorities and optimization opportunities without the user having to constantly intervene. Himala enables routine tasks such as scheduling, document management or notifications to be carried out independently and securely.

    Himala's focus is on providing a personalized and intuitive user experience backed by strict security and privacy standards. The aim is to help customers gain more time for the essentials by automating repetitive and time-consuming tasks.

  2. Purpose of the processing

    Personal data is processed solely for the purpose of providing the following himala services:

    • Integration and linking of Client data sources to optimize task management and automation.

    • Provision of personalized recommendations based on the data sources provided and synchronized.

    • Automation of routine tasks such as appointment management, document management and communication.

    • Proactive support through the analysis and prioritization of data.

    For this purpose, personal data is collected, categorized, converted, queried, organized and sorted, stored, analyzed (e.g. pattern recognition), summarized and transmitted to the Client, updated, processed and deleted or destroyed by the Contractor on the instructions of the Client.

Annex 2 - Subcontractors

https://docs.google.com/document/d/1yqAEsqXQjfvpRCTxJHffn9vdSYpRKYVrwfmDnbT7jHQ/edit?usp=sharing

Annex 3 - Technical and organizational measures

  1. Access control (physical access control)

    • Access rights: Physical access is regulated by video surveillance, alarm and access control systems.

    • Access restrictions: Server rooms are protected against unauthorized access, especially outside business hours. AWS is used as a data center.

    • Monitoring of external persons: Visitors are accompanied and documented in visitor lists.

  2. Access control (Logical Access Control)

    • Authentication: All systems use individual user accounts with 2-factor authentication (2FA).

    • Access rights: Access is granted based on the need-to-know principle and all rights are reviewed every six months.

    • Roles and authorizations: Authorizations are granted by system owners and C-level executives.

  3. Storage control

    • Encryption: Data on mobile IT systems is fully encrypted.

    • Password protection: All users use complex passwords that are changed regularly.

    • Screen lock: Password-protected screen saver during work interruptions.

  4. Transmission control

    • Secure transmission paths: Data is transmitted via encrypted connections (e.g. HTTPS, VPN).

    • No physical data carriers: No physical data carriers are used.

  5. Recovery

    • Data backups: Daily backups are performed automatically in the cloud (AWS) and checked regularly.

    • Emergency plans: Emergency and crisis management plans exist and are tested regularly.

  6. Separation requirement

    • Data isolation: Customer data is separated from each other by access restrictions and separate databases.

    • Test and production data: These are processed separated from each other.

  7. Communication control

    • Confidentiality agreements: External service providers are contractually obliged to comply with data protection.

    • Remote access: Maintenance work is only carried out after approval and is documented.

  8. Integrity and availability control

    • Protective measures: Malware protection and regular security updates for all systems.

    • Fire protection: Server rooms are equipped with fire doors and extinguishing systems.

  9. Engagement of external service providers

    • Data processing: There are written contracts (Data Processing Agreements, DPA) with all sub-processors, including AWS.