Agreement on order data processing (ADV)
Version: 01.09.2023
Introduction
This Agreement on Data Processing ("Agreement") sets out the obligations of the parties in relation to the requirements of the Swiss Data Protection Act ("DPA") and the General Data Protection Regulation of the European Union ("EU GDPR"). In this regard, it supplements the contractual agreements ("Agreement") between aumico AG, Hardturmstrasse 161, 8005 Zurich, Switzerland ("aumico") and the Customer, in which aumico acts as service provider vis-à-vis the Customer, and forms an integral part of the Agreement.
This Agreement shall apply only to the extent and to the extent that the following requirements are met:
- The customer is either a controller or an order processor within the scope of the DSG and/or the EU-DSGVO and
- the customer involves aumico within the scope of the contract as an order processor or subcontractor for the processing of personal data or personal data which are covered by the scope of application of the DPA and/or the EU-DSA ("personal data").
The parties enter into the following agreements for this purpose.
1. subject, duration and type of data processing
The subject matter, duration as well as the type and purpose of the processing result from the contract. The categories of personal data processed, the categories of data subjects and the technical and organizational measures ("TOM") to be taken are listed either in the contract or in one or more annexes to this agreement.
2. scope and responsibility
aumico processes the personal data exclusively for the purpose of fulfilling the contract or for the purposes specified in the contract. The customer is responsible for the legality of the data processing itself, including the permissibility of the order/sub-order processing.
The customer's instructions are documented in this agreement and in the contract. The customer has the right to give aumico additional instructions in writing at any time with regard to the processing of personal data. aumico will comply with these instructions insofar as they can be implemented by aumico within the scope of the contractually agreed services and are objectively reasonable. If such instructions result in additional costs for aumico or a changed scope of services, such additional costs and contractual changes must be agreed in writing.
aumico shall inform the customer without delay if it believes that an instruction violates the DPA or the EU GDPR. aumico may in this case suspend implementation of the instruction in question until it has been confirmed or amended by the customer. In the case of instructions from the customer in connection with the granting of access authorizations or the release of personal data to the customer itself, the above shall not apply, and aumico may assume at all times that such instructions are in compliance with the law. It is, however, entitled to demand corresponding written confirmations from the customer.
3. duties of aumico
aumico processes the personal data exclusively in accordance with the provisions of the contract and this agreement. The fulfillment of legal, regulatory or official obligations by aumico remains reserved.
aumico undertakes to maintain a directory of processing activities with regard to the personal data in accordance with Art. 12 Para. 1 DSG and Art. 30 Para. 2 EU-DSGVO. The current directory at the time of the conclusion of this Agreement can be found in Annex 1 to this Agreement. aumico shall provide the Customer with the current version upon request.
aumico shall adopt the TOMs for the protection of personal data defined in Annex 2 to this Agreement. aumico may adapt the agreed TOMs at any time as long as the agreed level of protection is not undercut.
aumico ensures that the employees and other auxiliary persons of aumico involved in the processing of customer-related personal data are prohibited from processing the personal data for purposes other than those specified in the contract and in deviation from this agreement. Furthermore, aumico ensures that the persons authorized to process the personal data have committed themselves to confidentiality and/or are subject to an appropriate legal duty of confidentiality. The confidentiality/confidentiality obligation shall continue to apply after termination of the agreement.
aumico shall inform the customer without delay if it becomes aware of any breaches of personal data protection at aumico or one of its subcontractors (data breach). In addition, aumico shall inform the customer in text form (e-mail is sufficient) in an appropriate manner about the nature and extent of the breach and possible remedial measures. In such a case, the parties shall take the necessary measures to ensure the protection of personal data and to mitigate any possible adverse consequences for the affected persons and the parties and shall consult each other on this without delay.
The contact person of aumico for data protection issues arising within the scope of the agreement as well as the data protection officer in cases where this is required in accordance with Art. 37 EU-DSGVO is named in Annex 1 to this agreement.
aumico undertakes to support the customer, upon request and against separate remuneration agreed in advance, within the scope of its possibilities in the fulfillment of the rights of the data subjects vis-à-vis the customer pursuant to Chapter 4 of the DPA and/or Chapter III of the EU-DSGVO. In addition, aumico may offer the customer further support against separate remuneration (e.g. in connection with a data protection impact assessment, consultation with the supervisory authority, notifications to the latter, etc.).
Personal data must be released or deleted/anonymized after the end of the contract in accordance with the contractual provisions. aumico uses standard industry procedures for the deletion/anonymization of personal data.
4. duties and obligations of the customer
The customer shall independently take appropriate technical and organizational measures to protect personal data within its area of responsibility (e.g. on its own systems, applications/environments under its operational responsibility).
The customer has to inform aumico immediately if he notices violations of data protection regulations in the provision of services by aumico .
The customer shall name aumico the contact person for data protection issues arising within the scope of the contract as well as the data protection officer in cases where this is required in accordance with Art. 37 EU-DSGVO.
5. requests from affected persons
If a data subject contacts aumico directly with a request for information, a request for correction or deletion or other requests/claims relating to personal data, aumico will refer the data subject to the customer, provided that an allocation to the customer is possible according to the information provided by the data subject. The support of the customer on the part of aumico with regard to requests from data subjects is governed by section 3.
6. evidence, reports and audits
aumico shall be obligated to provide the Customer, upon request, with information to document compliance with its obligations under this Agreement.
The parties stipulate that compliance with this obligation is generally evidenced by the fact that aumico is certified in accordance with ISO 27001 (as soon as this certification is available) or that aumico provides the customer with test or audit reports prepared by independent third parties for certain areas or confirmations of certifications, etc. specifically mentioned in the contract. Legally mandatory audit rights of the customer or its supervisory authorities remain reserved. In any case, the principle of proportionality shall be observed within the scope of such audits and the interests of aumico worthy of protection (namely confidentiality) shall be adequately taken into account. Unless otherwise agreed, the Customer shall bear all costs of such audits (including proven reasonable internal costs of aumico incurred in participating in the audit).
If violations of this Agreement or deficiencies in the implementation of the obligations of aumico are identified after submission of evidence or reports or in the course of an audit, aumico shall implement appropriate corrective measures immediately and free of charge.
7. involvement of subcontractors
aumico is entitled to engage subcontractors. The current list of subcontractors at the time of the conclusion of this agreement can be found in Annex 3 to this agreement. Aumico must inform the customer in advance in text form (e-mail sufficient) if it appoints new subcontractors or replaces existing subcontractors after this agreement comes into force. The Customer may object to the appointment of a new subcontractor or the replacement of an existing subcontractor for important data protection reasons in writing within a period of 30 days. If there is an important reason under data protection law and if a mutually agreeable solution cannot be found between the parties, the customer shall be granted a right of termination with respect to the service affected thereby.
aumico will enter into agreements with its subcontractors to the extent necessary to secure its obligations under this Agreement.
8. announcement abroad
Any disclosure of personal data by aumico to a third country or to an international organization is only permitted if aumico complies with the provisions of Art. 16 ff. DSG or Chapter V EU-DSGVO are complied with. However, if such disclosure of personal data is requested by or on behalf of the customer, compliance with the relevant provisions is the sole responsibility of the customer.
9. further provisions
This Agreement shall enter into force retroactively as of 01.09.2023 and shall be concluded for the duration of the Agreement, provided that the provisions of this Agreement do not give rise to obligations of longer duration.
The agreement is concluded when it is accepted by a user of the customer in the context of ordering services via the website of aumico or in the context of logging in to the aumico platform. aumico may assume, irrespective of internal regulations or the customer's The customer may assume, irrespective of the customer's internal regulations or relationships and entries in the commercial register and without further verification of the authorization, that a user of the customer who acts vis-à-vis aumico (e.g. by placing an order or logging in to the aumico platform) is authorized to act on behalf of the customer (prima facie power of attorney), which also includes the acceptance and conclusion of this agreement.
In deviation from any written form requirements in the contract, the present agreement may also be amended electronically between the parties.
The obligations arising from this agreement shall apply in addition to the obligations set out in the contract and shall not restrict the latter. In all other respects, the provisions of the contract shall continue to apply unchanged.
Annex 1 - List of processing activities
Status: 01.09.2023
This Appendix 1 describes the data processing activities performed by aumico under the Order Data Processing Agreement (ABV) under the Contract.
1. information on aumico
1.1 Contact details of aumico (responsible instruction recipient):
aumico AG, Hardturmstrasse 161, 8005 Zurich, Switzerland
E-mail: hello@aumico.ch
1.2 Contact details of the data protection officer/data protection advisor of aumico:
aumico AG, Chris Zurbrügg, Hardturmstrasse 161, 8005 Zurich, Switzerland
1.3 Contact details of the data protection representative of aumico in the European Union, who can be contacted by supervisory authorities and data subjects for all questions related to EU data protection law:
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
Email: info@datenschutzpartner.eu
2. data processing
2.1 General
Within the scope of the contract, the customer shall provide aumico , at its own discretion and on its behalf, with personal data and/or data subject to secrecy for processing.
2.2 Purpose of the processing
The personal data entrusted to aumico by the customer and arising therefrom shall be processed exclusively for the purpose of fulfilling the contract and related activities (including maintaining the customer relationship, invoicing, archiving).
2.3 Duration of processing
The personal data will be deleted or anonymized within 120 days after the end of the contract, unless a deletion/anonymization conflicts with longer statutory retention obligations or legitimate interests.
2.4 Persons concerned
aumico processes personal data of internal or external employees of the customer and internal or external employees of the customer's end customers.
2.5 Categories of personal data
aumico processes the following categories of personal data:
- Contact and identification data as well as (work) organization data such as first name, last name, business and/or private address, business and/or private e-mail address, business and/or private telephone number, country, company, area, department, function, responsibility, signing authority and customer number;
- Personal information such as language;
- User account information such as username and password;
- Contractual and financial data such as type of contract, content of the contract, type of services, applicable terms and conditions, start of the contract, duration of the contract, claims for remuneration, invoicing and payment data, as well as financial data contained in the annual invoices generated via the aumico platform;
- Interaction and usage data such as correspondence, customer preferences, type and extent of use of services, customer service information such as complaints and information from the assertion of rights, and feedback;
- Information regarding the use of online services such as frequency of visits, date, time and duration of visits, pages visited, search terms, clicks on content, originating website; information in forms, social media profiles; ratings and comments submitted, IP address; information about the terminal devices used (terminal device type, device ID, manufacturer, operating system, language, device settings, MAC address, etc.), cookie information and browser settings.
2.6 Special statutory secrecy obligations
aumico processes, as an auxiliary person of the client, personal data which is subject to professional secrecy (e.g. fiduciaries, tax experts) or, if applicable, other secrecy obligations under special laws.
3. place of data processing
3.1 Place of processing of personal data
Personal data is primarily processed in Switzerland and in the EU/EEA. All countries, including those outside the EU/EEA, are listed in Appendix 3 (Sub-processors).
3.2 Guarantees for processing outside the EU/EEA
aumico ensures adequate protection of personal data when processing outside the EU/EEA by concluding data processing agreements with the relevant sub-processors, in which these sub-processors are obliged to take sufficient technical and organizational measures to protect the personal data processed and to ensure data security commensurate with the risk, and which include the EU standard contractual clauses (SCC).
3.3 Disclosure of personal data to subcontractors
The third parties listed in Annex 3 (Subcontractors) have access to and process personal data as subcontractors or personal data is brought to the attention of these third parties.
4. notification of data protection breaches
aumico will notify the Customer without undue delay if aumico becomes aware of a breach of personal data protection that results in or threatens to result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. Notification will be made by email to the known contacts of the Customer.
Appendix 2 - Technical and organizational measures (TOM)
Status: 01.09.2023
This Appendix 2 describes the technical and organizational measures that are taken under the Agreement on Order Data Processing (ADV) as part of the contract by aumico to protect the personal data processed or to ensure data security commensurate with the risk (Art. 8 DSG and Art. 3 DSV as well as Art. 32 para. 1 EU-DSGVO).
This Annex 2 is limited to the description of the technical and organizational measures taken by aumico itself. aumico has contractually obligated its subcontractors (including the operator of the servers on which the aumico platform is hosted and the service provider responsible for the operation and further development of the aumico platform) to take appropriate technical and organizational measures. The description of these technical and organizational measures can be found in the corresponding documentation of the subcontractors. Upon request, aumico will provide detailed information on this.
1. access control
Measures suitable for preventing unauthorized persons from gaining access to facilities in which personal data are processed (processing facilities).
aumico ensures this through the following measures:
Technical measures | Organizational measures |
Magnetic or chip cards / transponder systems | Accompaniment of visitors |
Manual locking system (key) |
|
Doors with knob outside |
|
2. access control
Measures suitable for preventing the use of data processing systems (e.g. computers) by unauthorized persons.
aumico ensures this through the following measures:
Technical measures | Organizational measures |
Login with passwords (e.g. username and password) | Manage user permissions |
Login with biometric data | Create user profiles |
Anti-Virus Software Clients | Password policy ("Secure password") |
Anti-virus software mobile devices |
|
Firewall |
|
Automatic locking mechanisms (e.g. desktop lock) |
|
Encryption of notebooks/tablets |
|
Two-factor authentication |
|
3. access control
Measures suitable for limiting the access of persons authorized to use a data processing system exclusively to the personal data subject to their access authorization and for preventing the reading, copying, modification or removal of personal data by unauthorized persons (including unauthorized entry into the memory and unauthorized viewing, inspection, modification or deletion of stored personal data):
aumico ensures this through the following measures:
Technical measures | Organizational measures |
File shredder (min. level 3, cross cut) | Authorization concept |
Standard authorization profiles on a "need to know" basis | Minimum number of administrators |
Data protection-compliant disposal of data media that are no longer required | Management of user rights by administrators |
Secure storage of storage media | Periodic review of the assigned authorizations |
Data protection-compliant reuse of storage media |
|
4. forwarding and transmission control
Measures suitable for preventing the unauthorized reading, copying, modification or removal of personal data during electronic transmission or during its transport (including by means of data carriers), as well as measures for checking and determining to which entities the transmission of personal data using data transmission equipment is intended or takes place.
aumico ensures this through the following measures:
Technical measures | Organizational measures |
Provisioning over encrypted connections such as sftp, https | Disclosure in anonymized or pseudonymized form |
File encryption | Care in the selection of transport personnel and vehicles |
| Documentation of data recipients |
5. input control
Measures that are suitable to enable the verification and determination of whether, by whom and when which personal data have been entered, modified or removed in data processing systems.
aumico ensures this through the following measures:
Organizational measures |
Traceability of input, modification and deletion of data through individual user names (not user groups) |
Assignment of rights to enter, change and delete data on the basis of an authorization concept |
Overview of which programs can be used to enter, change or delete which data |
6. order control
Measures suitable to ensure that the processing of personal data by the subcontracted processors only takes place in accordance with the instructions of the customer.
aumico ensures this through the following measures:
Organizational measures |
Prior review of the security measures taken by the subcontractor and their documentation (e.g. ISO certification, ISMS). |
Careful selection of the subcontractor (with regard to data protection and data security) and assignment of the relevant responsibilities |
Conclusion of the necessary contract processing agreement with the sub-processor (incl. in the form of the EU standard contractual clauses, if required). |
In case of longer collaboration: Ongoing review of the subcontractor and its level of protection. |
Obligation to appoint a data protection officer by the subcontractor if the corresponding duty exists. |
Agreement on effective rights of control and follow-up (e.g. audits) vis-à-vis the subcontractor |
Regulation on the involvement of further subcontractors |
Ensuring the destruction or return of data after the completion of the order |
7. availability control
Measures suitable for protecting personal data against accidental or deliberate destruction or loss.
The measures to ensure availability control are taken exclusively by the respective subcontractors.
8. separability
Measures suitable to ensure the separate processing of personal data collected for different purposes.
aumico ensures this through the following measures:
Technical measures | Organizational measures |
Separation of productive and test environment | Control via authorization concept |
Multi-client capability of relevant applications | Setting database rights |
9. review, assessment and evaluation
Establish procedures to regularly review, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
aumico ensures this through the following measures:
Privacy Management:
Technical measures | Organizational measures |
ISO 27001 security certification (in the course of 2024) | Internal data protection officer or data protection advisor and external data protection representative (EU) |
Regular review of the effectiveness of the technical protection measures | Regular sensitization of employees (at least once a year) |
| Employee training in the area of data privacy and security |
| Formalized process for handling requests from data subjects |
| Commitment of employees to confidentiality and data protection (incl. data secrecy) |
Incident Response Management:
Technical measures | Organizational measures |
Firewall (incl. regular updates) | Involvement of the data protection officer or data protection advisor as well as the data protection representative (EU) in security incidents and data breaches |
Spam filter (incl. regular update) | Process for detecting and reporting security incidents / data mishaps (also with regard to reporting obligation to supervisory authority) |
Virus protection (incl. regular updates) | Documentation of security incidents and data breakdowns e.g. via ticket system |
| Process and responsibilities for follow-up on security incidents and data breaches |
Privacy-friendly default settings (Privacy by Design / Privacy by Default):
Technical measures | Organizational measures |
No collection of more personal data than necessary for the respective purpose | Definition of the role for privacy/security by design or privacy/security by default in projects |
| Sensitization of the employees concerned to Privacy/Security by Design and Privacy/Security by Default |
Annex 3 - Sub-contractor
Status: 01.09.2023
This Appendix 3 lists the sub-processors called in by aumico . The appointment of new sub-processors and the replacement of existing sub-processors shall be governed by the provisions of the Agreement on Order Data Processing (ADV).
Subcontractor (company, address, country) | Activity | Processed personal data | Guarantee under DSG and EU-DSGVO |
Modeso AG Seestrasse 44, 8596 Scherzingen, Switzerland (sister company of aumico) | Operation (incl. maintenance and support) and further development of the aumico software/platform | First name/last name, business address, email, phone number, language, country | Order data processing agreement
|
bexio AG Alte Jonastrasse 24, 8640 Rapperswil SG, Switzerland | Invoicing | First name/last name, business address, e-mail, telephone number of the customer's invoice recipients/main contact persons. | Agreement on order data processing ("order processing agreement") |
Pipedrive OU Mustamäe tee 3a, Tallinn 10615, Estonia | Marketing emails (newsletter), CRM | Contact and identification data as well as (work) organizational data and contractual and financial data in accordance with Appendix 1 (List of processing activities) | Agreement on Order Data Processing ("Data Processing Addendum") |
Twilio Ireland Limited (Sendgrid) 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland | Sign up incl. sending of an automated e-mail | First name/last name, e-mail, country of the customer | Agreement on Order Data Processing ("Data Protection Addendum") |
Google Cloud EMEA Limited Velasco, Clanwilliam Place, Dublin 2, Ireland | Cloud storage, customer data storage | Contact and identification data as well as (work) organizational data and contractual and financial data in accordance with Appendix 1 (List of processing activities) | Order Data Processing Agreement ("Cloud Data Processing Addendum") |
Mixpanel, Inc. One Front Street, 28th Floor, San Francisco, CA 94111, USA | Analysis of user behavior on the aumico platform | Information regarding the use of online services according to Annex 1 (list of processing activities). | Agreement on order data processing ("Data Processing Addendum") incl. EU standard contractual clauses |
Calendly LLC 115 E Main Street, Ste A1B PMB 123 Buford, GA 30518, USA | Appointment setting for sales and support purposes | First name/last name, business address, email, phone number, language, country | Agreement on order data processing ("Data Processing Addendum") incl. EU standard contractual clauses |
Switzerland (change)