Data Processing Agreement (hereinafter referred to as this “Agreement”)
of the license agreement for kiwiHR Software
1.1 YooniQ solutions GmbH offers Principal the option to use the web-based software application KiwiHR for digital job applicant management, which shall be provided to the Principal for use via the Internet.
1.2 Principal and YooniQ have entered into a licensing agreement for the use of the web-based software application KiwiHR.
1.3 This Agreement provides detailed clauses concerning the Contracting Parties data protection law related obligations with regard to the protection of Principal’s personal data.
For the purpose of this Agreement, the following terms shall have the meanings defined below:
a.) A "Contracted Processor" is a natural or legal person, agency entity or other reference point that processes personal data as a contractor for the Responsible Party.
b.) A "Third Party" is a natural or legal person, agency, entity or other point of reference, with the exception of the affected person, the Responsible Party, the Contracted Processor and the individuals, who under the direct or indirect liability of the Responsible Party or the Contracted Processor have the authority to process the personal data.
c.) "Personal Data" or just "Data" is all information that relates to an identified or identifiable natural person (hereinafter referred to as the “affected person”). A natural person is considered identifiable if this person, directly or indirectly, can be identified, in particular through the allocation to an identification such as a name, an identification number, location data, an online identification or to one or several special characteristics, that are expressions of the physical, psychological, genetic, psychic, economic, cultural or social identity of such a natural person.
d.) "Pseudonymization" is the processing of personal data in such a manner that the personal data can no longer be allocated to a specific affected person without using additional information, if this additional information is stored separately and technical as well as organizational measures are imposed that warrant that the personal data cannot be allocated to an identified or identifiable natural person.
e.) A "Responsible Party" is the natural or legal person, agency, entity or other point of reference that is solely or jointly with others in a position to make decisions as to the purposes and resources of processing of personal data. If the purposes and resources for this processing are defined in European Union Law or the laws of EU member states, the responsible party or the specific criteria for this person’s appointment may be governed by European Union Law or the laws of the EU member states.
f.) "Processing" is any transaction or any series of such transactions that are performed with the assistance or without the assistance of automated processes related to personal data, such as the collection, recording, the organization, the sorting, the archiving, the adaptation or modification, the exporting, the actuating, the use, disclosure by way of transmission, distribution or any other form of making available, the reconciliation or the linkage of data or the restriction and deletion or destruction of data.
g.) "Violation of the Protection of Personal Data" is a violation of the security of the data, whether it was accidental or unauthorized that results in the destruction, loss, modification, unauthorized disclosure or the unauthorized access to personal data, which has been transferred, archived or processed in any other way.
3. Subject Matter of this Agreement and Term of the Agreement
3.1 The subject matter of this Agreement comprises the statutory obligations of the ccc with regard to personal data of the Principal, which YooniQ processes on behalf of the Principal.
3.2 The Principal shall be solely liable for the assessment of legality of the contract processing and the protection of the rights of the affected persons.
3.3 The term of this Agreement shall begin on the effective date of the term of the licensing agreement it is based upon and shall end concurrently with the termination of the licensing agreement pursuant to Section 12 of the contractual terms for the use of the software Yooni solutions GmbH software KiwiHR.
3.4 The provision set forth in Section 3.3 notwithstanding, the Contracting Parties may terminate this Agreement at any time for important grounds. If the important grounds are inherent in a violation of an obligation arising from this Agreement, the termination shall be effective only after the unsuccessful completion of a time period set for remedial action or after a warning notice that does not produce the intended results. Important grounds for YooniQ shall in particular have materialized if
a.) The Principal repeatedly issues illegal instructions and YooniQ has promptly notified Principal of this fact pursuant to Section 5.4 and Principal continues to persist that the instructions be carried out;
b.) The Principal violates the obligations arising from this Agreement in a manner that is more than insignificant;
4. Type and Scope of the Contract Processing Work
4.1 The access privileges with regard to Principal’s data for the purpose of rendering the services pursuant to the licensing agreement shall be in effect in the scope defined in Annex 1. This Agreement shall not expand on the former and shall only define the performance obligations of YooniQ in more detail (see also Section 5.3; regarding the hierarchy of the contractual documentation 16.). However, this Agreement shall also govern the performance obligations of the Principal.
4.2 Further details may be subject matters of Principal’s instructions (see 5.).
4.3 YooniQ shall process the data not for its own business purposes, but exclusively on behalf of the Principal and subject to compliance with this Agreement. YooniQ shall not be authorized to process the data for any other purposes and shall in particular not transfer the data to third parties without Principal’s prior consent or disclose them to other recipients, unless this Agreement contains provisions to the contrary.
5. Principal’s Instructions, Rights of Affected Persons, Data Protection Consequences Assessment
5.1 The Principal shall have the right to give instructions to organize and update the type, purpose and scope of the contract processing as well as the data to be processed and the affected parties. This shall in particular apply but shall not be limited to cases when the regulatory agency or a change in legislation initiates or requires such instructions from the Principal. If an affected person should contact YooniQ directly, YooniQ shall promptly notify the Principal in text format and shall prompt the Principal to give instructions as to the next steps to be taken.
5.2 If the Principal should conduct a data protection consequences assessment, YooniQ shall support the Principal upon receiving pertinent instructions within the scope of what is reasonable and necessary, also in the event of any prior consultations with the competent regulatory agency.
5.3 Instructions by the Principal shall be restricted to the implementation of statutory or government agency requirements within the Data Protection Legislation. The Principal shall principally give all instructions in writing (via e-mail). Instructions given verbally in exceptional cases, shall be promptly confirmed by the Principal via e-mail.
5.4 YooniQ shall promptly notify the Principal in text format if YooniQ should be of the opinion that an instruction given by the Principal violates pertinent data protection legislation or is more than insignificantly erroneous, incomplete, contradicting or cannot be executed for legal or technical reasons. Along with providing this information, YooniQ shall expressly demand in text format that the Principal promptly respond to clarify whether YooniQ should nonetheless comply with the instruction or continue to contract process the data without taking the instruction into account until Principal has checked the information and made a decision on how to proceed.
6. Information Obligations and Other Obligations of the Contracted Processor
6.1 In the event of a violation of the protection of personal data, the Principal may be required to file reports. If suspicions of a more than insignificant violation of the protection of personal data of the Principal by YooniQ or individuals working on behalf of YooniQ should arise or if YooniQ should become aware of such violations, YooniQ shall immediately notify the Principal.
6.2 Within a reasonable and required scope, Principal shall have the right to demand that YooniQ support the Principal in meeting the reporting obligations.
7. Data Protection Officer
7.1 At Contractor’s end, Mr. Dominik Fünkner von PROLIANCE GmbH is the appointed data protection officer. If the appointed data protection officer should change, the Principal shall be notified immediately.
7.2 The Principal shall notify YooniQ of the identity/identities of Principal’s data protection officer(s) – or – if the Principal is not required to appoint a data protection officer / data protection officers and has not appointed one / several data protection officer(s) – Principal shall brief YooniQ about the identity of a person that assume pertinent responsibility and handles related assignments at Principal’s end. Without having to be expressly prompted by YooniQ to do so, Principal shall notify YooniQ if any related changes are imminent.
7.3 If the Principal is required to appoint a representative, the Principal must communicate to YooniQ the identity of this representative. Without having to be expressly prompted by YooniQ to do so, Principal shall notify YooniQ if any related changes are imminent.
8. Persons Reporting to YooniQ
8.1 For the contract processing work to be performed pursuant to this Agreement, YooniQ shall assign only those persons reporting to YooniQ that have been committed to non-disclosure in a documented manner and that have been previously familiarized with the statutory data protection provisions relevant to their work that apply to the processing work to be done on behalf of the Principal.
8.2 YooniQ shall ensure that all persons reporting to YooniQ who have entry privileges, access, or physical contact with the data of the Principal to be processed, process this data only within the restrictions and in compliance with Principal’s instructions and the provisions of this Agreement. This shall exclude only exceptional individual processing, in particular data transfers, that are expressly ordered based on the laws of the European Union or its member states by a court or government agency within the EU vis-à-vis YooniQ or the persons reporting to YooniQ.
9. Principles of Processing Security, Technical and Organizations Security Precautions
9.1 Taking into account the latest state of the art and the implementation costs as well as the type, scope, circumstances and purposes of the contract processing as well as the likelihood and gravity for the rights and freedoms of natural persons (risk analysis), YooniQ shall implement technical and organizational precautions to adequately protect the data.
9.2 To assess the reasonable security level, YooniQ shall take into consideration the risks affiliated with the contract processing of Principal’s data, in particular the risk of accidental or illegal destruction, loss, modification or unauthorized disclosure of or unauthorized access to Principal’s data.
9.3 YooniQ shall update and adjust the technical and organization measures that are part of its security concept to the latest state of the art, whereby it shall be ensured that they do not drop below the security and protection levels defined in this Agreement (Annex 2).
9.4 YooniQ shall document the technical and organizational precautions pursuant to this Agreement in detail in Annex 2. YooniQ shall keep this documentation up-to-date and shall document any significant changes.
9.5 Principal shall undertake to verify the technical and organizational measures based on Principal’s own risk analysis. It shall be Principal’s responsibility to ensure that the technical and organizational precautions provide a reasonable level of protection based on the risks inherent in the processed data. If Principal’s risk analysis should produce a different result than YooniQ’s risk assessment, the Principal shall have the right to negotiate an adaptation of the security precautions with YooniQ. If the Parties should fail to arrive at an agreement, both Contracting Parties shall have the right to terminate the Agreement by the end of the respective month.
10.1 Principal shall have the right to verify the provision of the services by YooniQ with regard to Principal’s data and compliance with the provisions of this Agreement, in particular the technical and organizational precautions to warrant the security of processing (see Sect. 9. and Annex 2), in compliance with the subsequent Sections 10.2-10.4.
10.2 Upon request, YooniQ shall provide to Principal a qualified self disclosure from an independent third party (e.g. DSB, financial auditor(s), third party data protection / security auditors) in text format. This disclosure shall contain all information required to verify the compliance with and implementation of the obligations arising from this Agreement as well as the respective current technical and organizational processing security precautions (see Sect. 9. and Annex 2). The Principal may demand this disclosure once every calendar year and in shorter time intervals only if there are justified grounds for suspicions of a violation of this Agreement by YooniQ (a notice in text format shall be sent by Principal to YooniQ).
10.3 Principal shall have the right to verify compliance with this Agreement and in particular compliance with the data processing security by YooniQ by conducting on site inspections that are pre-arranged and announced in text format, which shall be conducted on YooniQ’s business premises during regular business hours. They may also be conducted by a third party auditor subject to statutory or contractual non-disclosure obligations. These restrictions to be observed by the Principal shall not be in effect in urgent cases, of which the Principal shall notify YooniQ in advance in text format.
10.4 The Principal shall ensure that when on site checks are being conducted, the business operations of YooniQ are not interrupted and that the confidentiality of data of YooniQ’s other customers is not breached.
11. Other Contract Processors (Sub-contractors)
11.1 If and to the extent that YooniQ, as a result of an express agreement with the Principal should have the right to assign additional contract processors (sub-contractors) and if it cannot be ruled out that these sub-contractors will have an opportunity to become aware of Principal’s data, YooniQ shall be permitted to commission the sub-contractor only and not until YooniQ has briefed the Principal in test format on the details set forth in 11.2, provided the Principal has been given a chance to object (see 11.3) and if the Principal has not objected within the objection period.
11.2 The information provided by YooniQ pursuant to 11.1 shall contain at least the specifics in a concrete and detailed format:
a.) The sub-contractor’s identity
b.) The specific services the sub-contractor is supposed to provide to YooniQ
c.) The experience, performance capacity, dependability as well as the IT security level and data protection measures that are deciding factors for compliance with the obligations set forth in this Agreement and
d.) The guarantees and assurances of the sub-contractor that sub-contractor shall comply with the provisions of this Agreement accordingly.
11.3 The Principal shall have the right to object to the commissioning of any sub-contractor within 7 days after receipt of the information pursuant to 11.1 - 11.2 in text format. Such objections shall not be random. In the event of an objection, YooniQ shall undertake to fulfill its service obligations and duties as well as this Agreement without the use of the sub-contractor (with regard to YooniQ’s extraordinary right to terminate, see 3.4 c.).
11.4 If the sub-contractor should be given access to Principal’s data, YooniQ shall undertake to enter into a written contract processing agreement with the sub-contractor prior to make Principal’s data accessible to the sub-contractor for the first time, which shall be equivalent to this Agreement as far as sub-contractor’s obligations are concerned.
11.5 The Principal herewith consents to the assignment of the following sub-contractors upon execution of this Agreement:
|Name and address of the sub-contractor||Description of the work to be done by the sub-contractor on behalf of the Contractor|
|AWS Inc. 410 Terry Avenue North, Seattle WA 98109, United States||Provision of computing services (hosting, data processing, memory)|
|Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland||Provision of computing services (hosting, data processing, memory)|
|Wildbit LLC (Postmark), 225 Chestnut St., Philadelphia, PA, 19106, USA||Sending of e-mails|
|YooniQ solutions Sp. z o.o., ul. Zwierzyniecka 29/205, 31-105 Kraków, Poland||Technical development and layout support|
|Calendly LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA||Arranging online demos|
|HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland||Customer Management System|
|Conflux V.O.F., located at Einsteinlaan 205, 1171VT, Badhoevedorp, the Netherlands||Communication of functional inquiries|
|Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Republic of Ireland||Settlement of payment terms and subscription model|
Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland
|Customer onboarding, sending messages and support tickets via email and chat|
Mixpanel, S.L., Attn: EEA DPO, 92, 75 Av. de Champs-Elysees, 75008 Paris, France
|Processing data related to application usage and product analytics|
12. Return and Deletion
12.1 Upon termination of this Agreement or earlier upon prompting by the Principal, YooniQ shall undertake to return or surrender to the Principal any and all data, data media, databases, documentation and other materials of the Principal as well as all work product of the contract processing (including drafts and pre-phases).
12.2 For details concerning the deletion obligations, see Annex 1. Immediately upon termination of this Agreement or earlier upon prompting by the Principal, YooniQ shall undertake to delete all data, unless this is in conflict with any statutory storage or retention obligations at YooniQ’s end according to EU law or the laws of a EU member state or if an express, different agreement on the storage or deletion of the data exists with the Principal. YooniQ shall compile a log of the deletion.
13. Costs Absorbed by YooniQ
Any and all costs and expenditures, YooniQ or possibly a sub-contractor incurs as a result of the contract processing for the Principal pursuant to the provisions of this Agreement and which YooniQ shall document, in particular because of
a.) An obligation to fulfill the entitlements of affected person upon Principal’s instruction, in particular with regard to the correction, deletion, restriction, return of the data to the Principal and possibly the data portability or assistance with the former,
b.) An obligation to assist with a data protection consequence assessment pursuant to 5.2,
c.) The compliance with or implementation of Principal’s instructions pursuant to 5.3,
d.) The obligation to assist with the fulfillment of reporting obligations vis-à-vis the regulatory agency or the affected persons pursuant to 6.2,
e.) The compilation of a qualified self disclosure pursuant to 10.2,
f.) On site audits by the Principal or third party auditors commissioned by the Principal, unless significant deficiencies are found (see 10.3); the duty to explain and the burden of proof for this shall be the Principal’s
g.) Additional costs for technical and organizational precautions to guarantee the security of processing pursuant to 9.1, which have been agreed upon between the Contracting Parties due to a disparity between the risk analyses pursuant to 9.5,
h.) The fulfillment of the return and deletion obligations during the active term of the Agreement pursuant to 12., shall be separately reimbursed to YooniQ in accordance with the respective YooniQ price list in effect at the time.
14. Changes to this Agreement
14.1 Changes and adaptations of this Agreement and its Annexes and Appendices shall be made in writing and shall not be rendered effective until a written change agreement has been executed.
14.2 The Principal shall undertake to assist with such changes and adaptations (14.1.) and to consent to them if they must be implemented by YooniQ as a matter of law.
15.1If an affected person and/or any third party should target YooniQ with litigative action because of a data processing transaction, YooniQ has performed as a contract processor for the Principal, the Principal shall undertake to indemnify YooniQ against any such liability and to absorb any related legal expenses, damage compensation and/or fines and penalties.
15.2 Section 1 shall not apply if YooniQ should have specifically failed to fulfill the obligations a contract processor is required to meet or, has ignored legally given instructions of the Principal or has acted in conflict with such instructions.
16. Hierarchy of the Contract Documentation
16.1 In the event of contradictions or conflicts between this Agreement and the provision pursuant to 1.2 the following ranking shall apply in the sequence below:
2.The Licensing Agreement
16.2 In the event of contradictions or conflicts between this Agreement and its Annexes, the following ranking shall apply in the sequence below:
Principles accept by ticking the correspondent check boxes. In line with the ordering process, this agreement leads to the final conclusion of contract between the two sides.
Annex 1:Affected persons, type of data and scope of processing, processing systems
Annex 2:Risk-based technical and organizational precautions implemented by YooniQ
Details related to the affected persons, type of data, scope of processing and processing systems
I. Categories of affected persons
Employees of the Principal
II. Type of data
Personal data (title, first and last name, date of birth, citizenship, ...)
Communication data (address, e-mail, phone numbers, ...)
Social network profiles (LinkedIn, Facebook, Twitter, ...)
Open text fields for text entry (text entry fields for individual use)
File attachments (contracts, curriculums vitae, forms, ...)
III. Scope of processing
Registration of users to use the service
Registration of employees to use the system
Recording of contact data for employee management
Compilation and visualization of reports and statistics
Employee management (digital data, time off management, time tracking, payroll, ...)
IV. Processing system(s), incl. import and export of data from ambient systems
Amazon Web Services (hosting service)
Google Cloud Platform (hosting service)
Postmark product of Wildbit LLC (mailings)
- Mixpanel (product analytics)
Risk-based technical and organizational precautions implemented by YooniQ
At its business domicile (currently Rüdesheimer Str. 21, 80686 Munich, Germany), Contractor, in order to protect its customers personal data, has implemented the following technical and organizational precautions. These precautions of the Contractor are being complemented by technical and organizational measures of the sub-contractors assigned by the Contractor pursuant to Sect. 11.5 of the Contract Processing Agreement.
2.Technical and organizational precautions implemented by the Contractor
2.1 Entry control
Manual locking system
Automatic locking system
Controlled / documented key assignment
Secure safeguarding of additional keys / cards
Reception / gate guard
Rules governing the locking of entryways / offices
Keys that cannot be duplicated
Guard service / plant security
Rules / policies to be observed by employees
Rules / policies to be observed by visitors
Supervision of temporary workers
Safeguards on doors
2.2 Physical data access control
Log-in with username and password
Automatic screen lock
Rules / policies to be observed by employees
Individual set-up of access privileges
Encrypted data media
Exclusion of group accounts
Careful vetting of cleaning staff
2.3 Access control
Limited access (“need to know” principle)
Separation of responsibilities
Rules / policies to be observed by employees
Data protection compliant deletion of data media
No exchange of end devices
Password length / change requirements
No account sharing
2.4 Sharing control
VPN / tunnel connections
Encrypted e-mail communication
Encryption of data on data media
Encrypted data transfer
Rules / policies employees have to comply with
2.5 Data entry control
Document management system
Rules / policies employees have to comply with
2.6 Order control
Clearly written contracts with customers and sub-contractors
Careful vetting of sub-contractors using security relevant criteria
2.7 Guarantee of availability and resilience
Data backup at regular intervals
Uninterrupted power supply
Emergency contingency plans
Automatic notification in the event of incidents
Fire / smoke alarms
Rules / policies employees have to comply with
Documentation of activities
Outsourced data backup
Computing-Services (hosting, data processing, memory) are provided by third party providers who have strong security precautions in place. For more detailed information please visit:
Amazon Web Services - https://aws.amazon.com/security/?nc1=f_ls
Google Cloud Platform - https://cloud.google.com/security/?hl=de
Intercom - https://www.intercom.com/de/security
Stripe - https://stripe.com/us/privacy
Postmark - https://postmarkapp.com/eu-privacy
2.8 Separation control
Separation of productive / test system
Separation of different customers’ data / Principal (client capability)
Rules / policies employees have to comply with
Separation of backups based on clients
2.9 Effectiveness checks for security precautions
Audited data protection management through a third party data protection officer (processes related to information duties and the processing of information inquiries, commitment of employees to non-disclosure and data secrecy, DPA contracts, ...)
Deletion concepts with defined deadlines (application management and backups)
Privileges concept ("need to know" principle, role concept, dedicated employees who have access to personal data)