Data Processing Terms

These Data Processing Terms and its DPA Appendix apply to IXOPAY's processing of personal data acting as "Processor" on behalf of the Client, and jointly form the Data Processing Agreement under Art 28 GDPR ("DPA"). The DPA is subject to the terms of the Agreement. Unless explicitly stated otherwise, the order of precedence is: 1. DPA Appendix, 2. these Data Processing Terms, 3. the Agreement. Capitalized terms under data protection law used and not defined herein (e.g. “Processing”, “Data Subject”) have the meanings given to them in the GDPR. For the purposes of this DPA, the term Controller refers to Client and the term Processor refers to IXOPAY, whether Client acts as controller (and IXOPAY as a processor) or as processor for another controller (and IXOPAY as another (sub-)processor), unless the context indicates otherwise.

1. Processing

Subject matter, nature and purpose of the Processing are determined by Processor's Deliverables as described in the Order Document including any applicable SOW and as supplemented in the DPA Appendix ("Services"). Unless otherwise provided for in the Order Document or in the DPA Appendix, the duration of the Processing is linked to the duration of the Agreement as defined in the Order Document and ends simultaneously.

2. Rights and obligations of the Processor towards the Controller

2.1

Client confirms to be the sole Controller in the meaning of Art 4 lit 7 GDPR with respect to any kind of information relating to Data Subjects who are identified or identifiable as defined in Art 4 lit 1 GDPR that is Processed by Processor in order to provide the Services. If further Controllers exist, or if Client itself acts as Processor of Controllers, such Controllers have instructed and authorised Client to agree to the processing activity.

2.2

Controller has the right and obligation to determine the purposes and means of the Processing. Processor is obliged to Process Personal Data only on documented instructions from the Controller and acknowledged by Processor as constituting instructions for purposes of the DPA. To the extent changes significant increase the scope of Processor's Processing, Section 2.13 applies.

2.3

As between the Parties, Controller is responsible for the lawfulness of the Processing and, more generally, full compliance with the GDPR, the applicable EU or Member States data protection provisions (“Applicable Data Protection Legislation”) and this DPA. If Controller’s instructions to disclose by transmission or to otherwise make Personal Data available to another Controller, Joint Controller or Processor result in a transfer to a third country or to an international organization, then Controller shall procure compliance with the conditions of Chapter V GDPR. Controller indemnifies Processor against any third-party claims and/or sanctions imposed by Supervisory Authorities due to Controller’s unlawful Processing under the Agreement.

2.4.

If in Processor's opinion an instruction infringes Applicable Data Protection Legislation, Processor will inform Controller without undue delay and may suspend the performance of the instruction until Controller has modified or confirmed the lawfulness of the instruction via email to [email protected].

2.5

Processor confirms that persons authorised to Process Personal Data are granted access only on a need to know basis and have committed themselves to confidentiality, particularly as prescribed by Section 6 DSG 2018 and Art 28 Para 3 lit b GDPR, prior to accessing the data or are under an appropriate statutory obligation of confidentiality.

2.6

Processor declares that preventive measures in particular as prescribed in Art 32 GDPR appropriate to the risk for Processor’s scope of responsibility have been implemented, particularly to prevent data from being used unlawfully or that data is disclosed to third parties without Controller’s prior written authorization. Processor has implemented and maintains technical and organizational security measures ("TOMs") in its scope of responsibility. However, the specific data security measures may - depending on the processing activity - be adapted and updated by the Processor on its own behalf and in line with the applicable statutory provisions provided that the security and functionality of the processing are not degraded. Controller can request the current TOMs from the Processor at any time via email to [email protected].

Controller confirms to have implemented and to maintain appropriate TOMs in its own scope of responsibility.

2.6

Processor has implemented and maintains technical and organizational security measures ("TOMs") to ensure a level of security appropriate to the risk in its scope of responsibility. However, the specific data security measures may - depending on the processing activity - be adapted and updated by the Processor at its own discretion and in line with the applicable statutory provisions provided that the security and functionality of the processing are not degraded. Controller can request the current TOMs from the Processor at any time via email to [email protected].

Controller confirms to have implemented and to maintain appropriate TOMs in its own scope of responsibility.

2.7

Hereby Controller provides Processor a general written authorization in accordance with Art 28 Para 2 GDPR to engage third parties for processing ("Subprocessors"). Processor shall inform Controller in due time of any intended changes concerning the addition or replacement of a Subprocessor. Controller may reasonably object to such changes pursuant to Art 28 Para 2 GDPR via email to [email protected] within 30 days of receipt of Processor’s notification. Controller shall include its legitimate grounds for the objection together with any options to mitigate. In the event of an objection in accordance with the afore-said requirements, the Parties shall cooperate to find a feasible solution. Processor shall enter into a written agreement with Subprocessor pursuant to Art 28 Para 4 GDPR and shall impose on each Subprocessor substantially similar data protection obligations as set out in the DPA.

2.8.

Upon Controller's request via email to [email protected], Processor assists Controller by technical and organisational measures, insofar as this is possible, enabling it to secure the Data Subject's rights under Chapter III GDPR (e.g. right of access, to rectification, erasure or to object) or to respond to similar requests under Applicable Data Protection Legislation, by providing the functionality of the Service and by providing information required for the request. In case Processor is directly contacted by Data Subjects concerning their rights resulting from data protection laws, it will forward the respective request to Controller without undue delay. Controller is responsible for answering the request. Processor will handle requests of Data Subjects only upon Controller's prior documented instruction via email to [email protected].

2.9.

If a Data Subject brings a claim directly against Processor for a violation of its Data Subject Rights, Controller shall indemnify Processor for the part of the damages, particularly cost, charge, expenses and/or loss, arising in connection with such a claim, that corresponds to Controller’s part of responsibility. Corresponding to Processor's part of responsibility for a damage and subject to the terms of the Agreement including its limitations of liability, Controller may claim back from Processor compensation paid to a Data Subject for a violation of their Data Subject rights caused by Processor’s breach of its obligations under GDPR.

Claims for reimbursement under this Section require that the party against which the Data Subject's claim is brought has informed the other party of the claim and given it the opportunity to cooperate in its defense and settlement.

2.10.

Processor shall assist Controller in ensuring compliance with the obligations pursuant to Art 32 to 36 GDPR to a reasonable extent taking into account the nature of the Processing and the information available to Processor.

In particular, Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach with respect to the Processing. Controller shall remain solely responsible towards Supervisory Authorities and Data Subjects under Art 33, 34 GDPR and, based on the information provided by Processor, shall decide at its sole discretion whether a notification to a Supervisory Authority and/or Data Subjects is required. Any liability of Processor is excluded if Controller fails to submit (in due time) a legally required notification despite Processor's timely information.

2.11.

After the end of the provision of the Services relating to processing, Processor shall, at the choice of Controller, delete or return all respective personal data in its possession unless applicable law requires storage of the Personal Data.

However, subject to prior anonymization, Controller expressly authorizes Processor to conduct non-personal evaluations of the data processed on behalf of the Controller for the Processor’s purpose of improving its Services.

2.12.

Pursuant to Art 28 Para 3 lit h GDPR, Processor assists Controller and provides it or another auditor mandated by Controller (if under an appropriate statutory or contractual obligation of confidentiality towards Processor) with any information necessary to control the adherence to the duties under the DPA as follows:

(i) Processor primarily provides Controller or its auditor the most recent security documentation, certifications and/or summary third party audit reports conducted to assess and evaluate the effectiveness of the TOMs and, if requested by Controller, will further cooperate by providing additional information for Controller’s better understanding of such documentation.

(ii) If necessary for Controller's compliance with its own audit obligations or with a competent Supervisory Authority’s request, Processor will, upon Controller’s written notification of such necessity, reasonably assist Controller to enable Controller to provide such further information.

(iii) To the extent it is impossible to comply with mandatory audit obligations by means of (i) and (ii) above, Controller can mandate an independent auditor, having appropriate skills and knowledge to perform relevant audits effectively, to conduct an onsite inspection restricted to the facilities used to provide the Service, during Processor’s ordinary business hours, in a manner that causes minimal disruption to Processor’s business and, in case of inspections without just cause, not more than once per year, unless legally required. In advance of such inspection, the Parties shall coordinate a reasonable date as well as security and confidentiality measures in order to reduce any risk to Processor's other contractual partners. For that purpose, Processor reserves the right to impose reasonable limitations and/or require additional assurances from Controller on a case-by-case basis.

The Parties will bear their own costs with regards to subparagraph (i) above. Section 2.13 applies to any further assistance under subparagraphs (ii) and (iii), without prejudice to Controller’s rights under Art 28 Para 3 lit h GDPR.

2.13.

Processor is entitled to an appropriate remuneration for any assistance and rendering of services under the DPA and for significantly increased scope of Processing (cf. Section 2.2 above) based on the hourly rates most recently agreed upon. Controller shall submit all instructions, requests for assistance, enquiries and other communication towards Processor under the DPA via email to [email protected].

2.14.

The DPA shall be governed by the laws of the Republic of Austria without regard to its conflict of law rules.

Version: 21.09.2023