Data processing agreement
Sprad Software GmbH (hereinafter "Sprad" or "Contractor") provides its services exclusively based on the following Data Processing Agreement (DPA). These shall apply to all legal relationships between Sprad and the customer (hereinafter "Customer"), even if no explicit reference is made to them. The version valid at the time of the conclusion of the contract shall be authoritative in each case. Amendments to the DPA shall be notified to the customer and shall be deemed agreed upon unless the customer objects to the amended DPA in writing within 14 days.
(1) The contractor shall process personal data on behalf of the client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with processing personal data.
(2) Insofar as the term "data processing" or "processing" (of data) is used in this agreement, the definition of "processing" within the meaning of Art. 4 No. 2 of the GDPR shall apply.
2. Subject of the contract
(1) The contractor grants the client the use of the Sprad Software following the main contract and the GTC. In doing so, Sprad obtains access to personal data (from now on referred to as "data") and processes them exclusively on behalf of and according to the client's instructions. The scope and purpose of the data processing by Sprad as a processor result from the main contract. However, the client is responsible for assessing the permissibility of the data processing. The purpose of the data processing includes, in particular, the following tasks:
- Operation of the Sprad employee referral program (web platform)
- Acceptance and management of job applications
- Processing of job advertisements and the reward system
- Informing registered users about job vacancies
- Maintenance and servicing of the web platform in accordance with the main contract
(2) The contractor may process and use the data for its purposes on its responsibility within the scope of what is permissible under data protection law if a statutory permission provision or a declaration of consent by the data subject permits this. This agreement shall not apply to such data processing.
(3) These provisions shall apply to all activities connected with the main contract and during which the contractor and its employees or persons commissioned by the contractor come into contact with personal data originating from the client or collected for the client.
(4) This agreement shall be governed by the term of the main deal unless the following provisions give rise to further obligations or rights of termination.
3. Personal data
(1) If the customer requests the contractor to process additional personal data beyond the personal data mentioned below, the customer shall notify the contractor. The contractor shall review the request and, if possible, confirm the changes.
(2) As the resThe following categories of persons are affected by the commissioned processing:
- Employees (Users)
(3) The following types of personal data are affected by the commissioned processing:
- Personnel data (e.g., first name, last name, occupation, work location)
- Communication data (e-mail address, telephone number, Slack, MS Teams)
- Applicant data and application documents
- Data that users submit of their own accord in messages, free text fields, or as the content of files.
4. Rights and obligations of the client
(1) The client is the responsible party within the meaning of Art. 4 No. 7 DSGVO for processing data on behalf of the contractor. According to Section 4 (5), the contractor shall have the right to notify the client if data processing that it considers legally inadmissible is the subject of the order and/or instruction.
(2) As the responsible party, the customer shall be responsible for safeguarding the rights of the data subjects. Therefore, the contractor shall inform the customer without delay if data subjects assert their data subject rights against the contractor in connection with this data processing on the contractor's behalf.
(3) The customer shall have the right to issue supplementary instructions to the contractor at any time regarding the data processing type, scope, and procedure. Instructions must be given in text form (e.g., e-mail).
(4) Regulations on any remuneration of additional expenses incurred by the contractor due to supplementary instructions of the customer shall remain unaffected.
(5) The customer may appoint persons authorized to issue instructions. The person authorized to give instructions to the customer as the responsible person shall be determined from the current information in the customer's account on the contractor's platform. If the persons authorized to give instructions to the customer change, the customer shall notify the contractor in text.
(6) The customer shall inform the contractor without delay if it discovers errors or irregularities in connection with processing personal data by the contractor.
(7) If there is an obligation to inform third parties, according to Art. 33, 34 DSGVO or any other statutory notification obligation applies to the client, who shall be responsible for compliance.
5. General obligations of the contractor
(1) The contractor shall process personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the client. Exceptions to this are legal regulations that may require the contractor to process data differently. In such a case, the contractor shall notify the client of these legal requirements before processing unless the relevant law prohibits such notification due to an important public interest. The data processing's purpose, nature, and scope shall otherwise be governed exclusively by this agreement and/or the client's instructions. The contractor is only allowed to process data in a manner deviating from this if the customer has consented to this in writing.
(2) The contractor undertakes to carry out data processing on behalf of the customer only in member states of the European Union (EU) or the European Economic Area (EEA). Processing personal data in a third country requires the client's prior consent, which must be given at least in text form (e.g., e-mail). Furthermore, according to Art. 44 - 49 DSGVO, the customer's approval shall only be considered if it is ensured that the legal provisions to be complied with in each case are observed to provide adequate personal data protection.
(3) In processing personal data following the order, the contractor shall ensure that all agreed measures are carried out following the contract.
(4) The contractor shall be obliged to organize its company and its operating procedures so that the data it processes on behalf of the customer are secured to the extent required in each case and protected against unauthorized access by third parties. The contractor shall coordinate changes in the organization of data processing on behalf of the customer that is significant for the security of the data with the customer in advance.
(5) The contractor shall inform the customer without delay if, in its opinion, an instruction issued by the customer violates statutory regulations. The contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the customer. If the contractor can demonstrate that processing following the client's instructions may lead to liability on the contractor's part, according to Art. 82 of the GDPR, the contractor shall be entitled to suspend further processing in this respect until the liability between the parties has been clarified.
(6) The contractor shall process the data it processes on behalf of the client separately from other data. However, physical separation is not mandatory.
(7) The contractor can be contacted at email@example.com for questions relating to data protection law.
6. Reporting obligations of the contractor
(1) The contractor shall be obliged to notify the customer without undue delay of any infringement of data protection regulations or of the contractual agreements made and/or the instructions issued by the customer which has occurred in the course of the processing of data by the contractor or other persons involved in the processing. The same shall apply to any violation of the protection of personal data processed by the contractor on behalf of the customer.
(2) According to Art. 58 DSGVO, the contractor shall inform the customer immediately if a supervisory authority takes action against the contractor and may also be concerned with controlling the contractor's processing on behalf of the customer.
(3) According to Art. 33, 34 DSGVO, the contractor is aware that the client may be subject to a notification obligation in the event of data protection violations. This provides for notification to the supervisory authority within 72 hours of becoming known. Accordingly, the contractor shall support the client in implementing the notification obligations. In particular, the contractor shall notify the client of any unauthorized access to personal data processed on behalf of the client without delay but no later than within 48 hours of becoming aware of such access. The contractor's notification to the client shall include, in particular, the following information:
- a description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of data subjects concerned, the categories involved, and the approximate number of personal data records concerned;
- a description of the measures taken or proposed by the contractor to address the personal data breach and, if applicable, steps to mitigate its potential adverse effects.
7. Cooperation obligations of the contractor
(1) According to Art. 12-23 GDPR, the contractor shall support the client in responding to requests to exercise subject data rights. Accordingly, the provisions of Section 12 of this Agreement shall apply.
(2) The contractor shall cooperate in preparing the customer's directories of processing activities. It shall provide the customer with the information required in this respect appropriately.
(3) The contractor shall support the customer in complying with the obligations set out in Art. 32-36 of the GDPR, considering the type of processing and the information available to it.
8. “Home office“ regulation
(1) The contractor may allow its employees who are commissioned to process personal data for the customer to process personal data in private residences ("Home office").
(2) The contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed in the "Home office" of the contractor's employees. Deviations from individual contractually agreed technical and administrative standards shall be agreed upon in advance with the customer and approved by the latter in text form.
(3) The contractor shall, in particular, ensure that if personal data is processed in the “Home office“ the storage locations are configured in such a way that local storage of data on IT systems used in the "Home office" is excluded. If this is impossible, the contractor shall ensure that local storage is exclusively encrypted and that other persons in the household do not have access to this data.
9. Control rights
(1) The customer shall have the right to monitor the contractor's compliance with the statutory provisions on data protection and/or compliance with the contractual requirements agreed between the parties and/or compliance with the customer's instructions at any time to the extent required.
(2) The contractor shall be obligated to provide the customer with information to the extent necessary to carry out the control within the meaning of paragraph 1.
(3) The customer may demand to inspect the data processed by the contractor for the customer as well as the data processing systems and programs used.
(4) The customer may inspect within the meaning of Paragraph 1 at the contractor's premises during regular business hours after prior notification with a reasonable notice period. In doing so, the customer shall ensure that the inspections are only carried out to the extent necessary to not disproportionately disrupt the contractor's operating processes due to the reviews.
(5) The contractor shall be obligated to provide the necessary information to the customer in the event of measures of the supervisory authority against the customer within the meaning of Article 58 of the GDPR, in particular concerning information and control obligations, and to enable the respective competent supervisory authority to conduct an on-site inspection. Furthermore, the contractor shall inform the customer about corresponding planned measures.
(6) The parties agree that the control measures in the case of processing of personal data in the "Home office" to protect the individual rights of employees of the contractor and any other persons in the respective household shall primarily be carried out by monitoring the assurance of the measures to be taken by the contractor following Clause 8 (2) and (3).
(1) The contractually agreed services of the main contract shall be performed with the involvement of the subcontractors named on https://sprad.io/subcontractors. Subcontractors that are only used for a specific product configuration are labeled on the corresponding information page.
(2) The contractor shall carefully select the subcontractor and check before commissioning that the subcontractor can comply with the agreements between the client and the contractor. In particular, the contractor shall check in advance and regularly during the contract term that the subcontractor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data.
(3) The contractor can establish further relationships with subcontractors within its contractual obligations. The contractor shall inform the customer in text form in advance, allowing the customer to object to such changes in individual cases. The customer may only object for an excellent cause to be proven to the contractor. If the customer does not object to the text form within 14 days after receipt of the notification, its right to object to the corresponding order shall expire. If the customer raises a complaint, the contractor shall be entitled to terminate the main contract and these additional terms and conditions for the cause with two weeks' notice to the end of the month, notwithstanding the termination provision. In this case, the customer shall be reimbursed pro rata temporis, a remuneration related to the contract term. The customer shall have no further claims in this respect.
(4) The contractor shall ensure that the regulations agreed upon in this contract and, if applicable, supplementary instructions of the customer also apply to the subcontractor.
(5) If subcontractors in a third country are to be involved, the contractor shall ensure the legal requirements for this according to Art. 44 et seq. DSGVO is present. Insofar as there is no decision following Art. 45 (3) DSGVO concerning a third country, data processing by the subcontractor shall only occur if an appropriate data protection level is guaranteed. The conclusion of the standard contractual clauses (specified by the European Commission) and corresponding organizational and technical measures ensure adequate protection of the transferred data.
(6) Services the contractor uses from third parties as purely ancillary services to carry out the business activity shall not be regarded as subcontracting relationships within paragraphs 1 to 6. These include, for example, cleaning services, telecommunication services without any specific reference to services provided by the contractor to the customer, postal and courier services, transport services, and guarding services. In the case of ancillary services provided by third parties, the contractor shall nevertheless be obliged to ensure that appropriate precautions and technical and organizational measures have been taken to guarantee personal data protection. The maintenance and servicing of IT systems or applications constitute a subcontracting relationship requiring consent and commissioned processing within the meaning of Art. 28 DSGVO if the maintenance and testing concern such IT systems that are also used in connection with the provision of services for the client and personal data processed on behalf of the client can be accessed during the maintenance.
(1) When processing data for the customer, the contractor shall be obliged to maintain confidentiality regarding data it receives or becomes aware of in connection with the order. The contractor undertakes to observe the same confidentiality rules incumbent on the customer. The customer must inform the contractor of any unique laws to protect secrets.
(2) The contractor warrants that it knows the applicable data protection regulations and is familiar with their application. The contractor further certifies that it has familiarized its employees with the data protection provisions and obligated them to maintain confidentiality. The contractor further warrants that it has compelled the employees engaged in the performance of the work to maintain confidentiality and has informed them of the client's instructions.
(1) The client and the contractor shall be liable to data subjects following the provision set out in Art. 82 of the GDPR.
(2) In the internal relationship between the parties, the exclusions and limitations of liability according to the main contract shall apply unless expressly agreed otherwise. Insofar as third parties assert claims against the contractor which have their cause in a culpable breach by the client of this agreement or one of its obligations as a data controller, the controller shall indemnify the contractor against these claims upon the first request.
(3) Furthermore, the client undertakes to indemnify the contractor against any fines imposed on the contractor to the extent that the client bears a share of the responsibility for the violation sanctioned by the penalty.
13. Data subject rights
(1) The client shall be solely responsible for safeguarding the rights of data subjects. Therefore, according to Art. 12-23 GDPR, the contractor must support the client in processing requests from data subjects. In particular, the contractor shall ensure that the information required in this respect is provided to the customer without delay so that the customer can fulfill its obligations under Art. 12 (3) of the GDPR.
(2) As the contractor's cooperation is required to protect data subject rights, particularly for information, correction, blocking, or deletion by the customer, the contractor shall take the necessary measures following the customer's instructions in each case. In addition, the contractor shall support the customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise subject data rights.
(3) Provisions regarding possible remuneration of additional expenses incurred by the contractor due to cooperation services in connection with the assertion of data subject rights against the customer shall remain unaffected.
(4) If a data subject asserts his rights under Articles 12-23 GDPR against the contractor, although this concerns the processing of personal data for which the client is responsible, the contractor shall be entitled to inform the data subject that the client is the data controller. In this context, the contractor may inform the data subject of the contact details of the controller.
14. Non-disclosure obligations
(1) Both parties undertake to treat all information received in connection with the performance of this agreement as confidential for an unlimited period and to use it only for the performance of the contract. Neither party shall be entitled to use this information in whole or for purposes other than those just mentioned or to make this information available to third parties.
(2) The above obligation shall only apply to information that one of the parties has demonstrably received from third parties if being obliged to maintain confidentiality or be publicly known.
Unless expressly agreed otherwise, the compensation for processing personal data under this agreement is included in the remuneration for the services provided under the main contract.
16. Technical and organizational data security measures
(1) The contractor undertakes towards the client to comply with the technical and organizational measures required to comply with the applicable data protection provisions. This includes, in particular, the requirements of Art. 32 DSGVO.
(2) The parties agree that changes to the technical and organizational measures may become necessary to adapt to technical and legal circumstances. The Contractor shall coordinate significant changes that may affect the personal data's integrity, confidentiality, or availability with the customer in advance. The contractor may implement measures that involve only minor technical or organizational changes and do not negatively affect personal data integrity, confidentiality, and availability without coordination with the customer. The customer may request an up-to-date version of the technical and organizational measures taken by the contractor at any time.
(3) The contractor shall check its technical and organizational measures' effectiveness regularly and ad hoc. If there is a need for optimization and/or change, the contractor shall inform the customer.
17. Duration of the order/termination
(1) The agreement shall commence upon signature and shall be concluded for an indefinite period.
(2) Either party may terminate the main agreement in whole or in part without notice if the other party fails to fulfill its obligations under this agreement, violates provisions of the GDPR intentionally or with gross negligence, or if the contractor is unable or unwilling to carry out the instruction of the customer.
(3) In the event of simple breaches, i.e., breaches that are neither intentional nor grossly negligent, one party shall set a reasonable deadline for the other party within which the latter may remedy the breach.
(1) After termination of the contract, the contractor shall return to the client or delete, at the client's discretion, all documents, data, and processing or utilization results created in its possession related to the contractual relationship. Any statutory retention obligations or other data storage obligations shall remain unaffected. Documentation that serves as proof of the orderly and proper processing of the data may be retained for evidentiary purposes even after the end of the main contract.
(2) The contractor may store personal data processed in connection with the order beyond the termination of the contract if and to the extent that the contractor has a legal obligation to retain the data. The data may only be processed to implement the respective statutory retention obligations in such cases. After the expiry of the retention obligation, the data must be deleted immediately.
19. Data protection authority
The competent data protection authority, according to the location of the contractor, is the Austrian Data Protection Authority (https://www.dsb.gv.at/).
20. Final provisions
(1) If the customer's property with the contractor is endangered by measures of third parties (such as by seizure or attachment), insolvency proceedings, or other events, the contractor shall inform the customer without delay. In addition, the contractor shall notify the creditors without delay that data processed on behalf of the customer is involved.
(2) No verbal subsidiary agreements have been made. Therefore, amendments and supplements to the order processing agreement must be made in writing to be effective. This shall also apply to the cancellation of the written form.
(3) The place of jurisdiction for all disputes arising from this agreement shall be the contractor's location.
(4) The law of the Republic of Austria shall apply.
(5) Should any provision of this agreement be invalid in whole or part, this shall not affect the legal validity of the remaining provisions of the contract. The contracting parties agree to agree on a replacement provision that comes as close as possible to the meaning and purpose of this invalid provision.
Technical and organizational measures
Sprad Software GmbH (contractor) takes the following technical and organizational measures for data security within the meaning of Art. 32 DSGVO.
1. Admission control
An external door with a lock secures access to the office building. Access to the office premises is additionally secured with a security lock, incl. a digital smart lock. The digital access authorizations/keys are issued to the employees at the beginning of the employment relationship. Upon termination of the employment relationship, the digital access authorization/key is withdrawn. Every digital access is logged. Third parties have no access to the office premises.
With regard to access control of the Contractor's servers, the subcontractor AWS has the following certifications:
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 27018
- ISO/IEC 27701
- ISO/IEC 22301
- ISO/IEC 9001
- CSA STAR CCM v.4.0
The AWS data center is located in Frankfurt, where the data is stored exclusively. For more information about the security measures of the AWS data center in Frankfurt, Germany, please visit: https://aws.amazon.com/compliance/data-center/controls/
2. Access control
The technical access control measures include various measures to secure employees' access devices.
Employees must at least identify themselves with a user ID and password to gain access to data processing systems. The user ID includes the option of a fingerprint sensor. Each employee has their own user account with individual access rights. The number of login attempts is logged, and if the maximum number of incorrect login attempts is exceeded, the user account is blocked. Unblocking is only possible by an administrator after authentication of the employee. After unlocking, the user is asked to assign a new password.
All end devices and data carriers are encrypted with AES-XTS encryption or a comparable secure encryption technology. This applies to all physical data carriers that allow data access.
The screens are automatically locked after a specified period of inactivity. In addition, all employee computers have virus protection.
A policy on the departure of employees (withdrawal of rights) and a password policy have been adopted. This includes a central password system to administer all employee passwords.
3. Access options
All-access options and user roles are defined in authorization concepts and regulated analogously. All employees are bound to data secrecy. Certificates are issued for authentication, and access is logged. In addition, protocols are used that include transport encryption. The following encryption protocols/algorithms are used: AES-256, SSE-S3, bycrypt, SHA-256 and SSL encryption.
4. Transfer control
Transport encryption is used. IDs identify data records rather than plain names or other personal data. The principle of data minimization is observed. A standardized process for destroying data media complies with data protection requirements is followed.
5. Availability control
Availability, rapid recoverability, and protection against losses are ensured by an uninterruptible power supply (UPS), uninterruptible network connection, and daily backups. All offices and server rooms are equipped with fire and smoke detection systems. All server rooms are air-conditioned without interruption.
As mentioned in the access control, all processes at AWS are accredited with the already mentioned ISO/IES certificates. The certificates and security measures of the AWS data center in Frankfurt, Germany, can be viewed in detail at the following addresses:
6. Data separation control
Development, test, and production environments are separated, and data processing systems are separated for specific purposes. Only personal data is collected that is required for the respective purpose. During the development process of the software, it is already ensured that it is implemented in a data protection-friendly manner.