InVision Software Ltd. Data Processing Agreement

Date: July 2020

§1 Definitions

1. “Agreement” means the agreement between the Client and InVision Software Ltd. (“Contractor”) which references this Data Processing Agreement (“DPA”).

2. “Applicable Data Protection Law” means the legislation protecting the right to privacy with respect to the Processing of Personal Data (e.g. the GDPR).

3. “Client” means the Client, who determines the purposes and means of the Processing of Personal Data.

4. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

5. “Personal Data” has the meaning given to that term in Art 4 (1) of GDPR and, for the purposes of this DPA, includes only such Personal Data of Client being Processed by Contractor as Client’s Processor.

6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data Processed under the terms of this DPA.

7. “Processor” means a natural or legal person, which Processes Personal Data on behalf of a Client.

8. “Processing” has the meaning given to that term in Art. 4 (2) of the GDPR.

9. “Service” shall mean services provided under the Agreement that involve the Processing of Personal Data by Contractor acting in its role as Processor for Client. The Services are further specified in Annex 1.

10. “Sub-Processor” shall mean any further Processor engaged by Contractor in the performance of the Services provided under the terms of this DPA. Sub-Processor shall only mean a subcontractor with access to Personal Data.

§2 Purpose and scope

1. This DPA serves as a written data processing agreement between Client and Contractor and applies to services provided under the Agreement that involve the Processing of Personal Data by Contractor acting in its role as Processor for Client.

2. It defines Client’s and Contractor’ data protection related rights and obligations with regard to the Services covered by this DPA; all other rights and obligations shall be exclusively governed by the other parts of the Agreement.

3. Contractor shall Process Personal Data only in accordance with the terms of the Agreement (including the terms of this DPA).

4. In providing the Services, Contractor shall observe all data protection laws and regulations applicable to Processors. Client shall be responsible for compliance with any laws and regulations applicable to Client.

5. In the event of inconsistencies between the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the parties’ data protection obligations, this DPA shall prevail.

§3 Details of the Processing operations

1. The details of the Processing operations conducted by Contractor – in particular the types of Personal Data Processed and the categories of data subjects – are specified in Annex 1 to this DPA.

2. Personal Data is Processed exclusively within the EU or in another contracting state of the Treaty of the European Economic Area or in Switzerland, which is covered by an adequacy decision of the European Commission (cf. Art. 45(9) GDPR). Any relocation to a third country (Art. 44 GDPR) requires the prior consent of the Client and may only take place if the requirements of Art. 44ff. of GDPR are met.

§4 Instruction rights

1. Contractor, being the Processor, will only act upon Client’s instructions. The parties agree that the Agreement and this DPA constitute Client’s complete and final instructions for the Processing of Personal Data.

2. Contractor shall use reasonable commercial efforts to follow and comply with further instructions received from Client as long as they are technically feasible and do not require any material modifications to the Services (or underlying software). Further instructions must be agreed between Contractor and the Client in writing and may be subject to additional costs. Contractor shall immediately notify the Client if, in its opinion, an instruction violates Applicable Data Protection Law.

3. In case further instructions are required due to Applicable Data Protection Law and Contractor and Client do not reach an agreement in accordance with §4.2 above, Client shall have the right to terminate the Agreement.

§5 Technical and organisational measures

1. Contractor shall implement the technical and organisational measures described in Annex 2. Client hereby confirms that the level of security provided is appropriate to the risk inherent with the Processing by Contractor on behalf of Client.

2. Client understands and agrees that the technical and organisational measures are subject to technical progress and development. In that regard, Contractor shall have the right to implement adequate alternative measures as long as the security level of the measures is maintained.

§6 Commitment to data secrecy

1. Contractor shall obligate any personnel engaged in providing the Services to maintain the confidentiality of Personal Data.

§7 Sub-Processors

1. Contractor may only engage Sub-Processors with the prior approval of Client, which shall not be unreasonably withheld. Client hereby approves the engagement of the Sub-Processors listed on Contractor’s website. Contractor shall enter into a contract with each Sub-Processor imposing appropriate contractual obligations on the Sub-Processor that are no less protective than this DPA and provide a copy of the respective agreement upon Client’s written request, unless the agreement contains commercial or otherwise confidential information, in which case Contractor may remove such commercial or otherwise confidential information.

2. Contractor shall be authorised to remove or add new Sub-Processors. New Sub-Processors shall be approved by Client in accordance with the following process:

2.1. Contractor shall notify Client with at least ten (10) days prior notice before authorising any new Sub-Processor to access Client’s Personal Data.

2.2. If Client raises no reasonable objections with Contractor in writing within this ten (10) day period, then this shall be taken as an approval of the new Sub-Processor, provided that Contractor informed Client in the notification about such consequence.

2.3. If Client raises objections vis-à-vis Contractor, then Contractor shall have the right to terminate the Agreement with ten (10) days notice unless Contractor chooses, at its own discretion, to (a) continue the Service without the engagement of the Sub-Processor which Client objected to, (b) take sufficient steps to address the concerns raised in Client’s objection or (c) in agreement with Client, cease to provide the particular aspect of the Service that would involve use of the Sub-Processor.

3. Should the Sub-Processor fail to fulfill its obligations, Contractor shall remain fully liable to Client for the performance of the Sub-Processor’s obligations.

§8 Data Privacy Contact

1. Both parties shall inform each other about the name and the contact details of the data privacy contact by inserting this information in Annex 1.

2. Unless explicitly agreed otherwise, all information and notices required under this DPA shall be sent by Contractor to the client contact in writing (email suffices).

§9 Rectification, erasure and restriction of Processing

1. Contractor shall rectify, erase or restrict the Processing of Personal Data as instructed by Client.

§10 Notification obligations and Contractor support

1. In the event of Personal Data Breach, Contractor shall notify Client without undue delay (but not later than 48 hours of becoming aware of it). Contractor shall (i) reasonably cooperate with Client in the investigation of such Personal Data Breach, (ii) provide reasonable support in assisting Client in its security breach notification obligations under Applicable Data Protection Law (if applicable) and (iii) initiate respective and reasonable remedy measures.

2. Contractor shall notify Client without undue delay of (i) complaints or requests of data subjects whose Personal Data are Processed pursuant to this DPA (e.g. regarding the rectification, erasure and restrictions of Processing of Personal Data) or (ii) orders or requests by a competent supervisory authority or court.

3. At Client’s request, Contractor shall reasonably support Client in

3.1. dealing with complaints, requests or orders described in § 10.2; and

3.2. fulfilling its obligations under Applicable Data Protection Law.

Such support shall be at Client’s expense and compensated on a time and materials basis unless Contractor is culpable.

§11 Audits

1. Client shall have the right to verify, by appropriate means in accordance with §§ 11.2 and 11.3 below, Contractor’s and Sub-Processors’ compliance with the data protection obligations in this Data Processing Agreement (in particular regarding the technical and organisational measures), annually and upon occurrence of an event; such verification being limited to information about data processing systems that are relevant for the provision of the Services.

2. Contractor and Sub-Processors may maintain certifications or audit reports capturing the Processing Services. Client agrees that these certifications and audit reports shall be used to address Client’s audit rights under this DPA. Upon Client’s request, Contractor shall provide such (i) relevant extracts of audit reports and (ii) information and documentation regarding the applicable certifications available for the Services concerned. The audit reports, information and documentation provided shall constitute confidential information of Contractor.

3. Only in case the certifications and audit reports provided do not suffice for Client to comply with applicable audit requirements and obligations under Applicable Data Protection Law, Client may at its cost and expense (i) request additional information and documentation or (ii) after a reasonable prior notice, further audit Contractor’ control environment and security practices relevant to Personal Data Processed under this Data Processing Agreement without disrupting Contractor’s business operations and in accordance with Contractor’ security policies and Applicable Data Protection Law.

§12 Term and Termination

1. This DPA shall have the same term as the Agreement. Upon termination of the DPA, unless otherwise agreed between the Parties, Contractor shall, within the period stated in the Agreement, erase all Personal Data made available to Contractor or obtained or generated by Contractor on behalf of Client in connection with the Services. The erasure shall be confirmed by Contractor in writing upon request.

ANNEX 1: Details of Processing operations and Data Privacy contacts

1. Processing operations

Data subjects:

Client’s employees and freelancers

Personal Data:

Data used in the shift scheduling process, i.e. employee name, skills, contact data (e.g., phone, email), training status and the like

Special categories of Personal Data:

-/-

Processing purpose:

As further defined in the Agreement. Includes online services for Workforce Management and/or E-Learnings.

Duration:

Equivalent to the Agreement

2. Contacts

Contractor Contact:

• Frank Trautmann, Data Protection Officer
• E-Mail: privacy@invision.de

Client Contact:

• Name, Title:
• E-Mail:

ANNEX 2: Technical and organisational measures pursuant to Art. 32 GDPR

This section describes the technical and organisational measures for the protection of Personal Data (“Measures”) which Contractor takes as a minimum in connection with the processing carried out by Contractor, taking into account the state of the art in technology, the costs for implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

If other or special measures are agreed in the Agreement, those special measures apply instead of or in addition to the measures described in this document.

I. Basic Measures

The basic Measures assure the protection of confidentiality and the integrity of the systems with which Contractor processes personal data, especially by way of remote access. These Measures apply for all processing carried out by Contractor unless agreed otherwise in the underlying contract.

1. Internal organisation of operations

Contractor has appointed a company data protection officer. All employees and sub-contractors of Contractor having access to Personal Data are under obligations to process these data only upon instruction and exclusively for the performing of the contractually agreed services.

Contractor’s employees are made aware of the issues of data protection and IT security through specific training courses.

2. Protection against unauthorised access

The Contractor does not have an office building and all of Contractor’s employees are home-based. The following provisions apply to the Contractor’s parent company, InVision AG, of Speditionstrasse 5, 40221 Düsseldorf, Germany.

InVision AG’s office building is secured by an electronic access/intrusion alarm system. Only persons who have an appropriately authorised token are granted access to the building and individual areas. Outside office hours, the office building is also secured by a burglar alarm system and is controlled by a security guard.

Areas with increased security requirements, e.g. the IT headquarters, are additionally monitored by video and are locked as standard. There is a dedicated key management system.

Access authorisations are based on the employees’ areas of responsibility. They are assigned in a dedicated manner and are immediately adjusted or withdrawn in the event of changes to these areas of responsibility.

3. Protection for computers

Each employee of Contractor uses a computer assigned to him. For access to his computer, the employee authenticates himself at the device by entering his user name and password. To further increase the level of protection of the employees’ computers, the hard disks of the computers are encrypted by default, so that in case of loss or theft no unauthorised person can gain access to the local data. The internal network of Contractor is protected against external attacks by the use of firewalls. Access to the internal WLAN is secured by state-of-the-art authentication methods. The guest WLAN is logically separated from the internal WLAN.

4. Protection of data upon transmission, transport and remote access

It must be ensured that Personal Data cannot be read, copied, altered or removed during electronic transmission or during the transport of the data or storage on data carriers.

The following measures apply:

Electronic communication channels are secured by using closed networks and data encryption methods. In the case of physical transport of data carriers, existing, verifiable transport procedures are used to protect against unauthorised access or loss of data. Data carriers are disposed of in a manner appropriate to the protection of the data. Remote maintenance connections are protected by suitable encryption procedures.

II. Specific Measures for services in which Contractor stores client data in IT systems

These specific Measures assure the protection of the confidentiality, integrity, availability and resilience of the IT systems in which Contractor stores Personal Data. These Measures apply when the storage of data represents a material aspect of the contractual services by Contractor and is not just temporary.

1. Protection against unauthorised Processing

Access to Personal Data in IT systems is granted on an authorisation concept based on the function being performed (“need to know”). Furthermore, unauthorised access to Personal Data is prevented as needed by means of data encryption.

2. Assurance of traceability

Access to Personal Data is logged in files that hold the ID and time stamp of the respective user.

3. Assurance of integrity, availability and stability

Contractor stores Personal Data using redundant systems, which are additionally protected against loss by suitable and regularly performed security measures. The availability of the internal IT services is guaranteed by an appropriate backup concept. Restore processes are carried out regularly to verify the validity of the available backups. Contractor uses Uninterruptible Power Supplies (UPSs) to ensure the power supply in its IT headquarters.