Data Processing Agreement

This agreement is an addendum to our Terms of Service and describes how Sidequest GmbH (herinafter "Processor") processes data for a customer of Sidequest (herinafter "Controller").

§ 1 Subject of the Agreement and Term

  1. The Processor performs services for the Controller as described in Appendix 1. Appendix 1 details the subject-matter, type and purpose of processing, the types of data and categories of data subjects.
  2. This Agreement shall – unless otherwise agreed – become part of the Terms of Service agreed to by both parties and shall apply as long as the Processor processes personal data on behalf of the Controller.

§ 2 Instructions of the Controller

  1. The Controller is responsible for compliance with the relevant data protection provisions, in particular for the admissibility of the data processing and for safeguarding the data subjects' statutory rights, stipulated by the GDPR. Statutory or contractual liability provisions shall remain unaffected.
  2. The Processor processes the personal data disclosed by the Controller solely under the instructions of the Controller and within the scope of the agreed services/stipulations. Data must only be corrected, erased or blocked upon the Controller’s instructions.
  3. Unless processing of certain personal data is required by law of the European Union or a Member State to which the Processor is subject, the Processor must only process data under the Controller’s instruction. In such a case, the Processor shall inform the Controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.
  4. The Controller’s instructions require no specific form. Verbal instructions must be documented by the Controller. Instructions must be given in writing or in text form, if the Processor requires it.
  5. If the Processor believes that an instruction given by the Controller infringes upon data protection laws, he must inform the Controller of this without undue delay.

§ 3 Technical and Organizational Measures

  1. The Processor undertakes to employ adequate technical and organizational security measures for the data processing and to document them in Appendix 3 of this Agreement. These security measures should be appropriate to the risks involved with the specific personal data processing operations.
  2. The measures that have been taken can be adapted to future technical and organizational developments. The Processor may only carry out these adaptions, if they satisfy at least the previous level of security. Where no other regulations exist, the Processor must only inform the Controller of substantial changes.
  3. The Processor shall support the Controller to comply with all legal obligations as far as the technical and organizational measures are concerned. The Processer shall, upon request, cooperate in creating and maintaining the Controller’s record of processing activities. The Processor shall cooperate with the creation of a data protection impact assessment and if necessary with prior consultations with supervisory authorities. Upon request, the Processor shall disclose the required information and documents to the Controller.

§ 4 Obligations of the Processor

  1. The Processor confirms that he is aware of the relevant data protection regulations. The Processor’s internal operating procedures shall comply with the specific requirements of an effective data protection management.
  2. The Processor guarantees that he has implemented appropriate technical and organizational measures, in a way that the processing is in compliance with the requirements of data protection law and the rights of data subjects.
  3. The Processor warrants and undertakes that all employees involved in the personal data processing procedures are familiar with the relevant data protection regulations. The Processor assures that those employees are bound to maintain confidentiality, or are subject to an adequate legal obligation of secrecy. The Processor shall monitor compliance with the applicable data protection regulations.
  4. The Processor may only access the Controller’s personal data if it is necessary for the purposes of carrying out the data processing.
  5. Insofar as it is legally required, the Processor shall appoint a Data Protection Officer. The Processor’s Data Protection Officer’s contact details are to be shared with the Controller for the purposes of making direct contact.
  6. The Processor may only process personal data provided to him exclusively in the territory of the Federal Republic of Germany or in a Member State of the European Union. Processing personal data in a third country requires prior explicit approval by the Controller and must meet the relevant legal requirements.
  7. The Processor supports the Controller with appropriate technical and organizational measures to ensure that the Controller can fulfill his obligations to respond to requests for exercising the data subject's rights, e.g. the right to information, the right to rectification and to erasure, the right to restriction of processing, to data portability and to object. The Processor will nominate a contact person who will support the Controller in the fulfillment of legal obligations to provide information in connection with the data processing, and will share this person’s contact details with the Controller without undue delay. The Processor shall support the Controller, insofar as the Controller is subject to information obligations in the event of a data breach. Information may only be given to data subjects or to third parties with the prior instruction of the Controller. If a data subject exercises his or her data subject’s rights in respect to the Processor, the Processor shall forward this request to the Controller without undue delay.

§ 5 Authority to Conclude a Subprocessing Agreement

  1. The Processor may only assign Subprocessors, after informing the Controller of every intended change in relation to the addition of or replacement of a Subprocessor, whereby the Controller has the opportunity to veto the intended change. The controller may only veto with good cause.
  2. A relationship shall be regarded as that of a Subprocessor when the Processor commissions other Processors in part or in whole for services agreed upon in this contract. Ancillary services that are provided to and on behalf of the Processor by third party service providers and that are determined to support the Processor to execute the assignment services, shall not be regarded as Subprocessors within the meaning of this Agreement. Such services may include, for example, provision of telecommunication services or facility management. However, the Processor is obliged to guarantee the protection and the security of the Controller’s data in respect to third party service providers, and to ensure appropriate and legally compliant contractual agreements and supervisory measures are in place.
  3. A Subprocessor may only have access to the data once the Processor has ensured, by means of a written contract, that the regulations of this contract are also binding against the Subprocessor, and in particular adequate guarantees are provided that appropriate technical and organizational measures are carried out in a way so that the processing is compliant with data protection regulations.
  4. The commissioning of Subprocessors listed in Appendix 2 of this Agreement at the time of signature are deemed to be approved, provided that the requirements of § 5 Para. 3 of this Agreement are implemented.

§ 6 Controller’s Right of Inspection

The Processor agrees that the Controller or a person authorized by him shall be entitled to monitor compliance with the data protection provisions and the contractual agreements to the extent necessary, in particular by gathering information and requests for relevant documents, the inspection of data-processing programs or accessing the working rooms of the Processor during the designated office hours after prior notice. Proof of proper data processing can also be provided by appropriate and valid certificates for IT security (e.g. IT-Grundschutz, ISO 27001), provided that the specific subject of certification applies to the commissioned data processing in the specific case. However, presenting a relevant certificate does not replace the Processor’s duty to document the safety measures within the meaning of § 3 of this Agreement.

§ 7 Obligation to Report Data Protection Violations by the Processor

The Processor shall notify the Controller without undue delay about any disruption in operation which implicates menace to personal data provided by the Controller, as well as of any suspicion of data protection infringements concerning personal data provided by the Controller. The same applies if the Processor discovers that his security measures do not satisfy legal requirements. The Processor is aware that the Controller is obligated to document all breaches of the security of personal data and, where necessary, to inform the supervisory authority and/or the data subjects. The Processor will report breaches to the Controller without undue delay and will provide, at a minimum, the following information:

  1. A description of the nature of the breach, the categories and approximate number of data subjects and personal data records concerned,
  2. Name and contact details of a contact person for further information,
  3. A description of the likely consequences of the breach, and
  4. A description of the measures taken for the remedy or mitigation of the breach.

§ 8 Termination of the Agreement

  1. On termination or expiration of this Agreement the Processor shall return or erase all personal data, by choice of the Controller, provided there is no statutory duty to preserve records for retention periods set by law.
  2. The Controller can terminate the contractual relationship without notice if the Processor gravely violates this Agreement or the legal provisions of data protection and the Controller can therefore not reasonably be expected to continue the data processing until the expiry of the notice period or the agreed termination of Agreement.

§ 9 Final Provisions  

  1. In case any of the Controller’s property rights are at risk in the office premises of the Processor due to measures taken by third parties (e.g. through seizures or confiscation), insolvency proceedings or any other events, the Processor shall promptly inform the Controller hereof. The Processor waives the right of lien in respect to storage media and datasets.
  2. Any and all modifications, amendments and supplements to this Agreement must be in writing and can also be made in an electronic format.
  3. Should a provision of this Agreement become unenforceable, that shall not affect the validity or enforceability of any other provision of this Agreement.

Appendix 1: List of Contracted Services and Contact Details

Subject-matter of the processing: Using the Processor's software "Sidequest" to manage tasks and helpdesk operations.

Nature and purpose of the processing: The Controller and the Controller's employees, team members or other users create, edit and view tasks as well as task-related communication using the Processor's software. The Processor stores the data, analyses, reformats and displays it for improved productivity.

Type of personal data: Task titles and descriptions, task due dates and status, task assignments to teams and users, task-related communication (text, attachments, emoji reactions), usage analysis data.

Categories of data subjects: Employees, customers, partners or other subjects related to the Controller that have accounts in the Controller's Slack Workspace.

Processor contact details: see Imprint.

Controller contact details: can be set inside Sidequest after installation.

Appendix 2: List of Deployed Subprocessors

  • DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, United States: Hosting services
  • Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, United States: Payment services

Appendix 3: Technical and Organizational Measures

Physical Access Control

No data processing systems are located on premises, in buildings or in rooms operated by the Processor. The Deployed Subprocessors prevent unauthorized persons from gaining physical access to premises, buildings or rooms, where data processing systems are located which process personal data. Details can be found in the Deployed Subprocessors' DPAs.

System and Data Access Control

Data processing systems must be prevented from being used without authorization. The Processor has implemented the following controls:

  • Ensured that all systems processing personal data (this includes remote access) are password protected
  • Provides dedicated user IDs for authentication against systems user management for every individual
  • Assigns individual user passwords for authentication
  • Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access personal data in the performance of their function
  • Implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password
  • Ensured that passwords are always stored in encrypted form
  • Implemented a proper procedure to deactivate user account, when a user leaves the company or team
  • Implemented a proper process to adjust administrator permissions, when an administrator leaves company or team
  • Restricted access to files and programs based on a "need-to-know-basis”
  • Encrypt data during any transmission
  • Controls to permit only authorized personnel to modify any personal data within the scope of their function

Availability Control

The Processor does not operate any processing systems by himself. The Deployed Subprocessors have implemented controls to ensure personal data is available, protected against accidentail or unauthorized destruction or loss. Details can be found in the Deployed Subprocessors' DPAs.

Organizational Requirements

The Processor's internal organization shall take organizational measures to ensure compliant treatment of personal data. The Processor has implemented the following controls:

  • Designated a responsible person for data protection
  • Obtained the written commitment of the employees to maintain confidentiality
  • Trained staff on data privacy and data security
  • Constantly collaborates with third-party advisors on data protection and privacy