Data Processing Agreement
between
____________________________________________________________
– Controller –
and
wespond UG (haftungsbeschränkt) (Jamie)
Alte Kölner Straße 25a
51503 Rösrath
Germany
– Processor –
1. General remarks
(1) The Processor will process personal data on behalf of the Controller in the meaning of Article 4 (8) and Article 28 of Regulation (EU) 2016/679. This Data Processing Agreement governs the rights and obligations of the parties in connection with the processing of personal data.
(2) Insofar as the term "data processing" or "processing" (of data) is used in this Agreement, it is taken as that defined in Article 4 (2) GDPR.
2. Subject matter of the Agreement
The subject matter, nature and purpose of the processing, the nature of personal data and the categories of data subjects are set out in Annex 1 to this Agreement.
3. Rights and duties of the Controller
(1) The Controller is the responsible body within the meaning of Article 4 (7) GDPR for the processing of data on behalf of the Controller. Pursuant to section 3 (5) of this Agreement, the Processor has the right to inform the Controller if the Processor is of the opinion that the data processing is in breach of applicable statutory data protection law in this Agreement and/or an instruction.
(2) The Controller shall be the person responsible for safeguarding the data subject's rights. The Processor shall promptly inform the Controller if data subjects claim their data subject's rights against the Processor.
(3) The Controller shall be entitled to issue supplementary instructions concerning the nature, scope and procedure of data processing to the Processor at any time. Instructions must be given in text form (e.g. email).
(4) Additional expenses incurred by the Processor as a result of supplementary instructions from the Controller that go beyond the scope of the contractually agreed services shall be reimbursed by the Controller on a reasonable basis. Such reimbursement requires the Controller’s prior written approval and shall be based on documented proof and standard market rates.
(5) The Controller shall promptly inform the Processor if he finds errors or irregularities in connection with the processing of personal data by the Processor.
(6) In the event of the obligation to provide information to Third Parties pursuant to Articles 33, 34 GDPR or any other statutory reporting obligation applicable to the Controller, the Controller shall be responsible for the fulfillment of those obligations.
4. General obligations of the Processor
(1) The Processor shall process personal data only within the framework of this Agreement and/or in compliance with possible additional instructions given by the Controller. Excluded from this are legal provisions, which potentially oblige the Processor to a different processing of data. In such a case, the Processor shall inform the Controller of these legal requirements before the processing, unless the law in question prohibits such notification on account of an important public interest. Purpose, nature and scope of data processing shall be governed exclusively by this Agreement and/or the instructions of the Controller. Data processing deviating from this Agreement shall be forbidden, unless the Controller has given its written consent.
(2) The Processor shall generally carry out the data processing on behalf in member states of the European Union (EU) or the European Economic Area (EEA). The Processor is also permitted to process data outside the EU or EEA if appropriate subprocessors are used in the third country in compliance with the requirements of Section 10 and the requirements of Art. 44-48 GDPR are met or an exception within the meaning of Art. 49 GDPR exists.
(3) The Processor shall inform the Controller if the Processor is of the opinion that a Controller's instruction is in breach of statutory data protection laws. The Processor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the Controller. Insofar as the Processor can demonstrate that processing according to the instructions of the Controller can lead to liability of the Processor according to Article 82 GDPR, the Processor is free to suspend further processing in this respect until the liability between the parties has been clarified.
(4) The Processor shall not use Personal Data for the purpose of training, retraining, fine-tuning, or otherwise improving any machine learning or artificial intelligence models.
5. Data Protection Officer of the Processor
The Processor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR. The Processor shall ensure that the data protection officer has the necessary qualifications and expertise.
6. Notification obligations of the Processor
(1) The Processor shall inform the Controller immediately of each breach of statutory data protection laws or contractual agreements and/or the Controller's instructions which has occurred during the processing of the data by him or other persons involved in processing the data. The same shall apply to any violation of the protection of personal data which the Processor processes on behalf of the Controller.
(2) Furthermore, the Processor shall inform the Controller immediately if a data protection authority pursuant to Art. 58 GDPR is operating against the Processor and this operation may also affect controlling of the processing which the Processor makes on behalf of the Controller.
(3) The Processor is aware that the Controller may be subject to a notification obligation pursuant to Articles 33 - 34 GDPR, which provides that notification must be made to the supervisory authority within 72 hours after detection. The Processor shall assist the Controller in implementing the notification obligations. The Processor shall notify the Controller, in particular, of any unauthorized access to personal data processed on behalf of the Controller, without delay, but at the latest within 48 hours of knowledge of such access. In particular, the notification of the Processor to the Controller shall include the following information:
- a description of the nature of the breach of the protection of personal data, indicating, as far as possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data sets concerned;
- a description of the measures taken or proposed by the Processor to remedy the breach of the protection of personal data and, where appropriate, to mitigate its potential adverse effects.
7. Processor's obligation of cooperation
(1) The Processor shall assist the Controller in fulfilling his duty to respond to requests for the exercise of rights of the data subjects in accordance with Art. 12-23 GDPR. The provisions of section 12 of this Agreement shall apply.
(2) The Processor assists the Controller in compiling the lists of processing activities. The Processor must provide the Controller with the required particulars by suitable means.
(3) Taking into account the type of processing and the information available to him, the Processor shall assist the Controller in complying with the obligations set out in Articles 32-36 GDPR.
8. Regulation on mobile workstation
(1) The Processor may allow its employees who are commissioned to process personal data for the Controller to process personal data at mobile workstations outside the Processor’s business premises.
(2) The Processor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when using mobile workstations of the Processor’s employees. Deviations from individual contractually agreed technical and organizational measures must be agreed with the Controller in advance and approved by the Controller in text form.
(3) In particular, the Processor shall ensure that when processing personal data at mobile workstations, the storage locations are configured in such a way that local storage of data on IT systems is excluded. If this is not possible, the Processor shall ensure that local storage is exclusively encrypted and that other persons at the location of the respective mobile workstation do not have access to this data.
(4) The Processor is obliged to ensure that effective control of the processing of personal data on behalf of the Controller at mobile workstations is possible.
(5) If employees are also to be deployed at mobile workstations by subprocessors, the provisions of paragraphs 1 to 4 shall apply accordingly.
9. Supervisory powers
(1) The Controller has the right to monitor compliance with statutory laws regarding data protection and/or compliance of the regulations agreed between the Parties and/or compliance with the instructions of the Controller by the Processor at any time to the extent necessary.
(2) The Processor shall be obliged to provide the Controller with information to the extent necessary to carry out an inspection in the meaning of paragraph 1.
(3) The Controller may carry out the inspection within the meaning of paragraph 1 at the Processor’s business premises during normal business hours after prior notification with reasonable notice. The Controller shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the Processor’s business operations as a result of the inspections. The parties assume that an inspection is required no more than once a year. Further inspections must be justified by the Controller, stating the reason. In the event of on-site inspections, the Controller shall reimburse the Processor for the expenses incurred, including the personnel costs for the supervision and support of the inspectors on site to an appropriate extent. The basis of the cost calculation shall be communicated to the Controller by the Processor before the inspection is carried out.
(4) As evidence of compliance with the technical and organizational measures set forth in Annex 3, the Controller may, at its discretion, accept suitable, current certificates, reports, or extracts from independent bodies (e.g., auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or appropriate certifications. If such documentation is not deemed sufficient by the Controller, the Controller shall be entitled to carry out an on-site inspection, or have one carried out by an appointed auditor. The Controller acknowledges that on-site inspections of data centers may not be possible, or only in exceptional and justified cases
(5) The Processor shall be obliged to provide necessary information to the Controller in case of measures of a supervisory body against the Controller according to Art. 58 GDPR, especially regarding obligations of information and monitoring and to grant the competent supervisory body on-site inspections. The Processor shall inform the Controller about such relevant intended measures.
(6) The Parties agree that the control measures for the processing of personal data at mobile workplaces to protect the personal rights of other persons at these mobile workplaces shall primarily be carried out by monitoring the measures to be taken by the Processor in accordance with Section 9 (2) and (3). The Controller must also be given the opportunity to monitor the mobile workplaces of employees by the Processor on an ad hoc basis.
10. Subprocessing
(1) The Processor shall be entitled to use the subprocessors specified in Annex 2 to this Agreement for the processing of data on behalf of the Controller. The change of subprocessors or the commissioning of further subprocessors is permitted under the conditions specified in paragraph 2.
(2) The Processor shall carefully select the coprocessors and check before commissioning that the subprocessor can comply with the agreements made between the Controller and the Processor. In particular, the Processor shall check in advance and regularly during the term of the contract that the subprocessor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data. In the event of a planned change of subprocessors or the planned commissioning of a new subprocessor, the Processor shall inform the Controller in text form in good time, but no later than 4 weeks before the change or new commissioning ("Information"). The Controller shall have the right to object to the change or new assignment of the subprocessor in text form within 2 weeks of receipt of the "Information", stating the reasons. The objection may be withdrawn by the Controller in text form at any time. In the event of an objection, the Processor may terminate the contractual relationship with the Controller with a notice period of at least 14 days to the end of a calendar month. The Processor shall give reasonable consideration to the interests of the Controller in the notice period. If no objection is made by the Controller within three weeks of receipt of the "Information", this shall be deemed to constitute the Controller’s consent to the change or reassignment of the subprocessor concerned.
(4) The Processor shall ensure that the provisions agreed in this contract and any supplementary instructions of the Controller also apply to the subprocessor.
(5) The Processor shall conclude a data processing agreement with the subprocessor that meets the requirements of Art. 28 GDPR. In addition, the Processor shall impose the same obligations on the subprocessor to protect personal data as are stipulated between the Controller and the Processor. The Controller shall be provided with a copy of the data processing agreement upon request.
(6) In particular, the Processor shall be obliged to ensure by means of contractual provisions that the supervisory powers (Section 9 of this contract) of the Controller and supervisory authorities also apply to the subprocessor and that corresponding supervisory rights of the Controller and supervisory authorities are agreed. It must also be contractually stipulated that the subprocessor must tolerate these control measures and any on-site inspections.
(7) Services which the Processor uses from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subprocessing relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunication services with no specific connection to services that the Processor provides for the Controller, postal and courier services, transportation services, security services. The Processor is nevertheless obliged to ensure that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data, even in the case of ancillary services provided by third parties. The maintenance and servicing of IT systems or applications constitutes a subprocessing relationship requiring consent and processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns IT systems that are also used in connection with the provision of services for the Controller and personal data processed on behalf of the Controller can be accessed during maintenance.
11. Obligation of confidentiality
(1) When processing data on behalf of the Controller, the Processor shall be obliged to maintain confidentiality of data which he receives or obtains in connection with the data processing agreement.
(2) The Processor also warrants that the employees working on the data have been made known to applicable regulations of data protection and that they are bound to maintain data confidentiality.
(3) Proof for such an obligation for the employees pursuant to paragraph 2 must be presented to the Controller on request.
12. Protection of Data Subjects' rights
(1) The Controller is solely responsible for safeguarding data subjects' rights. The Processor is obliged to support the Controller in his duty to process requests from data subjects in accordance with Articles 12-23 GDPR. The Processor shall in particular ensure that the information required in this respect is provided to the Controller without delay so that the Controller is able to fulfil his obligations under section 12 (3) GDPR in particular.
(2) As far as a participation of the Processor for the protection of data subjects' rights by the Controller is necessary – especially regarding access, rectification, blocking or deleting –, the Processor will undertake the necessary measures on instruction by the Controller. Where possible, the Processor shall assist the Controller with appropriate technical and organizational measures to fulfil his obligation to respond to requests for the exercise of the data subjects' rights
(3) Provisions concerning remuneration of additional expenses incurred through participation of the Processor in connection with assertion of data subjects' rights against the Controller remain unaffected.
13. Confidentiality obligations
(1) Both Parties hereby undertake to treat all information received in connection with the processing of this Agreement indefinitely confidential and to use the information only for carrying out the Agreement. No Party has the right to use the information in part or as a whole for other than those mentioned purposes or to make this information available to Third Parties.
(2) The foregoing obligation shall not apply for information that one Party received demonstrably from Third Parties, without being bound by secrecy or which are publicly known.
14. Remuneration
The Processor's remuneration is provided for by way of a separate agreement.
15. Technical and organizational measures for data security
(1) The Processor shall pledge against the Controller to comply with all technical and organizational measures that are required for compliance with applicable data protection regulations. This includes, in particular the dispositions in Art. 32 GDPR.
(2) The technical and organizational measures as of the time at which this Agreement is made are attached as Annex 3 to this contract. The Parties agree that changes to technical and organizational measures may be required to adapt to technical and legal requirements. The Processor will inform the Controller in advance and within a reasonable period of any material changes affecting the integrity, confidentiality or availability of personal data. The Processor may implement without consulting with the Controller measures that entail only slight technical or organizational changes and that do not negatively affect the integrity, confidentiality or availability of the personal data. The Controller may at any time request an up-to-date version of the technical and organizational measures taken by the Processor.
16. Term of the Agreement
(1) The Agreement shall commence upon signature and shall run for the duration of the main contract existing between the Parties for the use of the Processor’s services by the Controller.
(2) The Controller may terminate the Agreement at any time without notice if the Processor has committed a serious violation of the applicable data protection provisions or a breach of duties under this Agreement; the Processor is unable or unwilling to carry out an instruction of the Controller or denies access to the Controller or the competent supervisory authority in breach of the Agreement.
17. Termination
(1) After the Agreement has ended, the Processor shall, at the Controller’s discretion, return to the Controller all documents and data in its possession that relate to the contractual relationship, or shall delete them. The deletion shall be documented in a suitable manner.
(2) The Processor may store personal data that has been processed in connection with the processing relationship beyond the termination of the Agreement if and to the extent that the Processor has a legal obligation to store it. In these cases, the data may only be processed for the purpose of implementing the respective legal storage obligations. After the storage obligation has expired, the data must be deleted immediately.
18. Final Provisions
(1) Should the property of the Controller be at risk at the Processor through measures of Third Parties (especially confiscation or seizure of property), by insolvency proceedings or other events, the Processor must inform the Controller immediately. The Processor will inform creditors immediately about the fact that the data are processed on behalf of the Controller.
(2) Written form is compulsory for ancillary agreements.
(3) Should individual parts of this Agreement be invalid, the validity of the Agreement’s other provisions will not be affected thereby.
Annex 1 - Subject matter of the Agreement
1. Subject matter, purpose and duration of the processing
The subject matter of the processing is mainly set out in the Agreement.
Jamie is an AI-based meeting assistant that records, transcribes and summarises both offline and online meetings. The aim of the processing is to efficiently document meetings and support participants with structured summaries. The processing takes place in several steps: First, meetings are recorded (audio), with the audio data being stored temporarily for conversion into text form (transcripts) using AI-supported speech processing. The transcripts are then analysed by the AI to identify important points and create comprehensible and structured summaries.
After successful transcription, the audio recordings are deleted. If the Controller activates the optional ‘Speaker Memory’ function, the Processor creates and stores voiceprints (biometric data for speaker recognition) for the purpose of identifying participants in future meetings; otherwise, no such profiles are stored.
In addition, meeting metadata (e.g. time and date), names and email addresses of participants (if available), IP addresses and device information are processed. Sensitive data may be incidentally collected if it is discussed in meetings, but it is not specifically processed. The data subjects are primarily meeting participants, including employees, customers and external end users. Jamie uses AI to automatically create the transcriptions and accurately summarise content. The technology used is based on machine learning (NLP technologies), which recognises important points from the transcripts and generates summaries. In addition, ‘voice embeddings’ are used to automatically identify and assign speakers.
The data processing takes place in several steps: First, the user starts a recording in Jamie, and during the meeting the audio recordings are made. After the recording is finished, the audio data is sent to the servers for transcription, where a text version of the recorded audio is created. Using AI systems, the transcripts are analysed to extract important content and create a structured summary. After transcription, the audio data is immediately deleted. The transcripts and the summaries are then stored in an EU region-managed database (Planetscale). The user can access the created transcripts and summaries later.
2. Type(s) of personal data
The following data types are the subject of this order:
- Personal master data (surname, first name, position in the company)
- Communication data (email address, IP address)
- Usage data (logins, browser type, access times, meeting metadata, events in the product)
- Technical data (device information, error logs, API calls, server logs)
- Support and service data (support tickets, correspondence, information on problem solving)
- Audio recordings (temporary, after subsequent transcription, deletion takes place)
- Transcriptions and meeting summaries
- Voiceprints for speaker recognition (biometric data within the meaning of Art. 9(1) GDPR; processed only if the customer activates the “Speaker Memory” function)
Special categories of personal data (e.g. health data, data on racial/ethnic origin) may be processed as part of the data processing agreement if they are part of the audio recording.
3. Categories of data subjects
The following groups of data subjects are subject to the processing:
- Employees of the client/controller
- Customers of the client/controller
- Suppliers of the client/controller
- Shareholders of the client/controller
Annex 2 - Subprocessors
For the processing of data on behalf of the Controller, the Processor uses the services of Third Parties who process data on behalf of the Processor ("subprocessors").
These companies are:
Subprocessor (Name & Address) | Purpose of Service | Server Location | Data Transfer to Third Countries (Legal Basis) |
OpenAI, Ireland Ltd 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland | Provision of AI services (GPT, etc.) | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Google Cloud EMEA Limited 70 Sir John Rogerson's Quay, Dublin 2, Ireland | Cloud services, Analytics, Workspace, Vertex AI | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), EU-US DPF (Art. 45 GDPR) and additionally SCCs (Art. 46 GDPR). |
Modal Labs, Inc. 222 Broadway, New York, NY 10038, USA | Infrastructure Provider | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
PostHog Inc 2261 Market Street #4008 | Product analytics and user tracking | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Loops (Astrodon Inc.) Washington, D.C., USA | Marketing automation | United States | SCCs (Art. 46 GDPR). |
Plain (Not Just Tickets Ltd) 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom | Customer support and communication platform | United Kingdom | UK Adequacy Decision (Art. 45 GDPR). |
Langfuse GmbH Gethsemanestraße 4, 10437 Berlin, Germany | Observability platform for LLM applications | European Union | No third-country transfer. Processing and storage take place in the EU. |
Upstash, Inc. | Provision of cloud services as part of the audio/summary pipeline: Redis tool: Temporary storage, caching and fast data retrieval QStash tool: Communication/queue management | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Vercel Inc. 440 N Barranca Ave #4133, Covina, CA 91723, USA | Hosting and deployment platform for web applications | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Functional Software, Inc.(d/b/a Sentry 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA | Error and performance monitoring for applications | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Plus Five Five, Inc. (Resend) 2261 Market Street #5039 San Francisco, CA 94114, USA | Emailing Services | United States | SCCs (Art. 46 GDPR). |
PlanetScale, Inc. 535 Mission St. San Francisco, CA, 94015, USA | Relational database | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Forge Technology, Inc. (Paragon) 10900 Wilshire Blvd Suite 440, Los Angeles, CA 90024, USA | Integrations Provider | United States | SCCs (Art. 46 GDPR). |
Cloudflare, Inc 101 Townsend St., San Francisco, CA 94107, US | Infrastructure Provider | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Better Stack Rybná 716/24, Staré Město, 110 00 Praha 1, Czech Republic | Logging and Monitoring | European Union | No third-country transfer. Processing and storage take place in the EU. |
Eleven Labs Inc. 169 Madison Ave #2484 New York, NY 10016, USA | Transcription Provider | European Union | Processing and storage take place in the EU. For exceptional cases (e.g., access from the United States), SCCs (Art. 46 GDPR). |
Cal.com, Inc. 2261 Market Street, Suite 4382, San Francisco, CA 94114, United States | Calendar Scheduling Provider | United States | SCCs (Art. 46 GDPR). |
Clay Labs Inc. 111 W 19th Street, 5th Floor, New York, NY 10011. | Marketing Automation | United States | SCCs (Art. 46 GDPR). |
Annex 3
Technical and organizational measures
The Processor shall undertake the following technical and organizational measures for data security in accordance with Art. 32 GDPR.
Confidentiality
Physical Access Control
This category covers measures to prevent unauthorized physical access to areas where sensitive data is stored or processed.
Technical Measures | Organizational Measures |
Access Control System | Information security policy |
Manual Secure Locking system | Maintenance personnel mandated to be committed to data privacy |
Blocking external interfaces such as USB | Key control system |
Chip card/transponder locking system | Careful selection of cleaning personnel |
Logical Access Control
This category involves measures that restrict unauthorized access to digital systems and data, ensuring that only authorized individuals can access sensitive information and resources.
Technical Measures | Organizational Measures |
Authentication via directory services (Single sign-on) | Password Management System |
Multi-Factor Authentication (MFA) mandatory for critical systems | Password policies (appropriate to your organization) |
Automatic logoff procedures | Mobile Device Management Policy |
Disk Encryption for all devices | User Permission Management / Privileged Access Management systems |
Encryption of databases | Separate user account for each employee (with individual user IDs) |
Authentication with username and password | Documented regulations for when employees leave |
Creation of user profiles |
Authorization Control
This category focuses on ensuring that those authorized to use a data processing system can only access the data subject to their access authorization, with controls in place to manage and limit access rights, prevent unauthorized use and securely handle sensitive data.
Technical Measures | Organizational Measures |
Secure deletion of data carriers | Assignment of administrator rights to a minimum number of persons |
Automatic account blocking after multiple wrong inputs of a password | Implementation of a role and authorization concept |
Logging of application access | Issuing written instructions on the processing of personal data |
Obligation of employees to comply with the requirements of the GDPR |
Separation Control
This category ensures that data and systems are kept isolated from one another where necessary, minimizing the risk of data leaks.
Technical Measures | Organizational Measuress |
Separation of production and test system | Data Protection Policy |
Physical separation of databases and systems | Secure Coding Practices |
Network segmentation | Logical user separation |
Database access rights | |
Internal policy to anonymize / pseudonymize data if possible |
Pseudonymization
This category involves the process of replacing identifiable information with pseudonyms, ensuring that personal data cannot be attributed to a specific individual without additional information. Pseudonymization enhances data privacy by reducing the risk of exposure while still allowing data to be processed and analyzed.
Technical Measures | Organizational Measures |
Pseudonymization of data during further processing or transmission | Anonymization of data when identification is no longer necessary |
Integrity
Transfer Control
This category focuses on ensuring the integrity and security of data during transmission. It includes measures that protect data from unauthorized access, modification, or loss while being transferred between systems or parties, ensuring that data remains unchanged throughout the process.
Technical Measures | Organizational Measures |
Content-encrypted data transmission | |
Encryption of internet traffic | |
Encryption for e-mail transmission |
Input Control
This category ensures the accuracy and integrity of data during input, modification, and access. It includes measures to track and log all data entries and changes, secure the data from unauthorized modifications, and allow corrections when necessary. These measures are necessary to keep the data accurate and consistent throughout its lifecycle while providing transparency and accountability.
Technical Measures | Organizational Measures |
Certificate-based authentication of data source | Documentation on existing IT infrastructure |
Logging (of data access, entry, change, deletion, transmission, failed access attempts, etc.) | Documentation of the security measures taken |
Automated evaluation of log data | Documentation on programs and applications used |
Firewall packet filter | Documentation of binding deletion periods |
Application layer firewall | Documentation of contract and subcontract relationships |
E-mail gateway with a filter function | Documentation of the nature, scope, circumstances, and the purposes of the processing |
Manual or automated reviews of logs | Documented records of processing activities |
Availability and Resilience
Availability Control
This category focuses on ensuring that data and systems are consistently accessible and operational when needed, preventing downtime and protecting against data loss or system failures.
Technical Measures | Organizational Measures |
An automatic emergency call system | Avoidance of local data storage |
Automatic notification system in case of failure | Documented contingency (emergency) plan |
Redundant IT systems | |
Automatic scaling of virtual systems | |
Load balancing of the network components / servers / services |
Recoverability Control
This category ensures that data and systems can be quickly restored to full functionality after an incident.
Organizational Measures | Organizational Measures |
Automated creation of data backups | Backup concept and disaster recovery plan |
Backup monitoring | Defined responsibilities for data backup |
Regular testing of data recovery | |
Storage of data backups in another secure compartment outside the server room |
Procedures for regular Review
Data Protection Management
This category includes procedures and documentation necessary to ensure ongoing compliance with data protection regulations and allow data protection to remain integrated into the company’s operations, risk management, and decision-making processes.
Technical Measures | Organizational Measures |
Data Protection documentation is centralized and available to all employees | Data Protection Impact Assessment |
Regular audits of the data scope | |
Regular Security certifications review | |
Regular TOMs review | |
Data Protection Officer appointed | |
Regular data privacy and awareness staff training | |
Documented processes regarding information obligations | |
Formalized processes for information requests from data subjects |
Incident Response Management
This category involves the ongoing evaluation and improvement of the processes and protocols in place to respond to data breaches and security incidents.
Technical Measures | Organizational Measures |
Automated update processes for operating systems, applications, and services | Documented post-incident review procedure |
Intrusion Prevention System | Documented processes for security incident reporting |
Documented incident response procedure | |
Documented Data Breach Notification procedure |
Data Protection by Design and Default
This category ensures that data protection is integrated into the design and operation of systems and processes from the outset.
Technical Measures | Organizational Measures |
Using enhanced privacy and security settings by default in software | Regular perimeter analysis for web applications |
Regular Development Security Checks |
Third-Party Management and Data Processing Control
This category covers the monitoring and management of external parties involved in data processing. It includes measures that ensure that outsourcing arrangements maintain the necessary levels of data protection and security.
Technical Measures | Organizational Measures |
Monitoring of subcontractors and external parties’ remote accesses | Data Processing Agreements |