top of page

Agreement on contract processing under article 28 GDPR

in-manas: intelligent management solutions GmbH



    1. This Agreement is the legal basis for the processing of personal data provided by the Controller to the Processor pursuant to Article 28(3) of the General Data Protection Regulation ("GDPR").


    1. The object of this order is the performance of the following tasks by the Processor for the Responsible Party: Licensing and operation of the in-manas software solution in accordance with the licence agreement concluded between the Controller and the Processor.

    2. This Agreement is concluded for the duration of the licence agreement existing between the Parties pursuant to Section 2.1. It shall therefore automatically terminate on the date on which the licence agreement pursuant to section 2.1 ends.


    1. The data provided by the data controller shall be processed automatically and manually. The processing is carried out for the purpose of the technical and content-related provision by the processor of the services provided for in the licence agreement in accordance with point 2.1. Against this background, the purpose and scope of the processing can be summarised as follows:

      1. The purpose of the software licensed by the Processor is to collect, discuss, condense and evaluate ideas from natural persons, (typically employed staff). The exact purpose is presented by the processor before inviting the first participants in accordance with operational agreements and on the platform for all participants to see. For this purpose, self-editable conditions of participation are available that are accessible to all participants.

      2. The scope of the collection and processing is limited to the named persons in the closed platform. The processing includes the display of this data on screen and on data exports for the administrator(s) of the platform and the sending of emails to users of the platform.

    2. In principle, the data processing provided for under this Agreement shall only be carried out in a Member State of the European Union or in a Member State of the European Economic Area.

    3. Any transfer of data to a state that is not a member of the European Union or the European Economic Area may only be carried out if (i) this has been expressly agreed between the parties or otherwise approved by the controller and (ii) the requirements of Art 44 et seq. of the GDPR are met. In this case, the Processor shall inform the Controller in writing of how a sufficient level of data protection is ensured in the state in question that allows for a data transfer.


    1. The Controller shall provide the following personal data for the purpose of the commissioned processing pursuant to this Agreement:

      1. Personal master data and communication data (name, e-mail address).

      2. Data relating to ideas submitted, comments and evaluations of ideas; questions and answers from surveys

      3. Contract master data, contract billing and payment data for the responsible party.


    1. The responsible person declares that:

      1. Employees and associates of the responsible person;

      2. Customers, prospects, suppliers, agents, contacts;

      3. sub-licensees of the responsible person and the employees and staff of such sub-licensees;


    1. Commissioned processing under this Agreement shall cover the following categories of data subjects:

      1. the processing of the personal data provided to the Processor, including their provision to the Processor, has been and will continue to be carried out in accordance with the relevant provisions of the Applicable Laws (in particular data protection law and labour law);

      2. he has instructed and will instruct the Processor throughout the duration of the Data Processing Services to process the Personal Data provided only on behalf of the Controller and in accordance with the Applicable Laws;

      3. he will inform the Processor immediately and in full if he discovers errors and irregularities in the results of the order with regard to data protection provisions;

      4. comply with his or her obligations to the data subjects under applicable law


    1. The Processor shall implement and describe technical and organisational measures in its area of responsibility to ensure a level of protection appropriate to the risk in accordance with Art 32 GDPR.

    2. The necessary measures currently implemented by the Processor to ensure the security of processing pursuant to Art 32 GDPR are described in Annex ./1.

    3. The technical and organisational measures are subject to technical progress and further development. The Processor is entitled to implement alternative adequate measures as far as the security level of the specified measures is not undercut.


    1. The Processor shall only process the Personal Data on the documented instructions of the Controller, including in relation to the transfer of Personal Data to a third country or an international organisation, unless it is required to do so by Union or Member State law to which the Processor is subject, in which case the Processor shall notify the Controller of such legal requirements prior to the processing, unless the law in question prohibits such notification on grounds of substantial public interest.

    2. The Processor shall ensure that the persons of the Processor authorised to process the Personal Data are bound to confidentiality or are subject to an appropriate legal duty of confidentiality and process the Personal Data only on the instructions of the Controller pursuant to Article 32(4) of the GDPR, unless they are obliged to process under Union or Member State law.

    3. The Processor shall, at the request of the Controller, participate in the preparation of a data protection impact assessment and, where appropriate, in the prior consultation of the supervisory authorities in accordance with Article 28(3)(f) of the GDPR. At the request of the controller, the processor shall participate in the creation and updating of the controller's list of processing activities as far as the documentation of technical and other measures is concerned.

    4. The Processor shall ensure that, where possible, it supports the Controller with appropriate technical and organisational measures to comply with its obligation to respond to requests for the exercise of the data subject's rights referred to in Chapter III of the GDPR. If a data subject approaches the Processor to exercise any of the rights referred to in Chapter III of the GDPR, the Processor shall refer the data subject to the Controller, provided that an attribution to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered by the Controller, or is not answered correctly or in a timely manner.

    5. The Processor shall assist the controller in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the controller.

    6. The Processor shall continuously monitor its data processing processes and systems with regard to compliance with data protection requirements and document the monitoring. Upon request, the Processor shall provide the Controller with the documentation as evidence of the sufficient guarantees.

    7. The Processor shall inform the Controller in the event of a suspected personal data breach and of any supervisory actions and measures taken by the supervisory authority. The Processor is aware that the Controller is obliged to comprehensively document all personal data breaches and, if necessary, to notify the supervisory authorities or the data subject within 72 hours. In this case, the Processor shall support the Controller in complying with its notification obligations and, in particular, provide the information referred to in Article 33(3) of the GDPR.

    8. The Processor shall - at the choice of the controller - either delete or return the personal data provided and the works developed therefrom after termination of the contract concluded in accordance with point 2.1, unless there is an obligation to store them under Union or Member State law.

    9. If the legal requirements are met, the Processor shall appoint a data protection officer and notify the Controller thereof. Any change of the data protection officer as well as the contact person for information security issues of the Processor shall be notified to the Controller in writing without delay.

    10. The Processor shall provide the Controller with all necessary information to demonstrate compliance with the obligations set out in this Article and shall enable and contribute to verifications, including inspections, carried out by the Controller or by any other auditor appointed by the Controller.

    11. The data shall be handled exclusively within the framework of the agreements made and in accordance with the instructions of the person responsible. The standards contractually agreed within the framework of the contract award, including user documentation and the GTCs of the processor, shall apply to the framework of the instructions. The processor shall inform the controller without delay if it believes that an instruction from the controller violates Union or Member State data protection provisions. However, the mere acceptance of an instruction by the processor shall not constitute an assessment of whether or not it infringes data protection rules. The processor shall be entitled to suspend compliance with instructions until they have been reconfirmed or amended by the controller.


    1. The Responsible Party shall have the right, in consultation with the Processor, to carry out inspections or to have inspections carried out by an inspector to be named in the individual case. If inspections by the responsible party or an auditor appointed by the responsible party are necessary in individual cases, these shall be carried out during normal business hours without disrupting operations after notification and taking into account a reasonable lead time. The Processor may make them dependent on prior notification with reasonable lead time and on the signing of a declaration of confidentiality with regard to the data of other clients and the technical and organisational measures put in place. If the auditor engaged by the controller has a competitive relationship with the processor, the processor shall have a right of objection against the auditor.

    2. The Contractor shall ensure that the Client can satisfy itself of the Contractor's compliance with its obligations pursuant to Art. 28 of the GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures.

    3. Evidence of such measures, which do not only concern the specific order, can be provided through

      1. compliance with approved codes of conduct pursuant to Art 40 GDPR;

      2. certification in accordance with an approved certification procedure pursuant to Art 42 GDPR;

      3. current attestations, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors);

      4. a suitable certification by IT security or data protection audit.

    4. The Processor may claim remuneration for enabling the controller to carry out checks.


    1. The Processor may use sub-processors for the performance of its processing activities, provided that the provisions of the GDPR are complied with (in particular Art 28 (2) and (4) GDPR).

    2. The sub-processor shall be subject to the same data protection obligations as those laid down in that contract by way of a contract or other legal instrument under Union law or the law of the Member State concerned, in particular providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of this Regulation.

    3. The Processor currently uses the following sub-processors:


  • ​Mynet GmbH

  • Bruggfeldstraße 5, 6500 Landeck

  • Server Wartung


  1. By entering into this Agreement, the Responsible Party confirms not to object to the sub-processors listed in clause 10.3.

  2. Pursuant to Art 28(2) GDPR, the controller has the right to object to a change in the use or replacement of sub-processors. For this purpose, the processor shall inform the controller of this circumstance at least 30 days before a new sub-processor is used. An objection must be made within 10 working days.


    1. The controller and the processor shall be liable externally for material and non-material damage suffered by a person due to a breach of the GDPR pursuant to Art 82(1) GDPR. If both the controller and the processor are responsible for such damage pursuant to Art 82(2) GDPR, the parties shall be internally liable for such damage in proportion to their share of responsibility. If, in such a case, a person makes a claim for damages against one party in whole or in part, that party may demand indemnification or hold harmless from the other party to the extent that this corresponds to its share of responsibility.


    1. This agreement contains all agreements of the parties with regard to the subject matter of the contract. There are no oral or written agreements outside the agreement. This Agreement supersedes and cancels, with effect from the commencement of the Contract, all previous oral and written agreements between the Parties relating to the subject matter of the Contract.

    2. Ancillary agreements or amendments to this agreement - including this written form clause - must be made in writing.

    3. References to laws, regulations, documents and annexes shall, unless expressly stated otherwise, apply to the laws, regulations, documents and annexes as amended from time to time, i.e. including any amendments after the date of the contract.

    4. This framework agreement shall be governed by the law of the Republic of Austria to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG). The international place of jurisdiction is Austria. The local place of jurisdiction is the registered office of the Processor.

    5. Should individual provisions of this agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining parts. In such a case, the parties undertake to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally permissible manner. The same shall apply in the event of loopholes.

Date and signature according to offer and order confirmation

Date and signature according to offer and order confirmation

Annex 1 - general technical and organisational measures

The in-manas system itself is developed at IN-MANAS in the company building and, after testing with artificially generated data on internal servers, is imported into the environment in the data centre. The productive system (data centre), test system (data centre) and development system (IN-MANAS) are operated separately. An update is usually carried out step by step.



    1. The virtualised infrastructure of the servers is provided by Hall AG (H Augasse 6, 6060 Hall in Tirol). The data centre complies with the international guidelines for IT security. Access to the data centre is only possible for customers of Hall AG under supervision. During the visit, an official identification document must be deposited at the reception.



      1. The platform has access protections that can be set up by the administrator. 

      2. Password security according to complexity as usual in the industry

      3. Session - timeout / automatic - logout regulation

      4. Securing of data traffic via HTTPS


      1. Only the IN-MANAS system administrators responsible for the project have administrative access to the servers. Access for the system administrators is only possible in the following way:

        • Via the IN-MANAS intranet: with a 1-factor authentication procedure, only via the SSHv2 protocol.

          • Access to the IN-MANAS Intranet is only available from the IN-MANAS office: Kochstraße 1.

          • Or via a VPN connection to the network of the IN-MANAS offices, which is reserved for IN-MANAS system administrators.

        • Via the Internet: with a 2-factor authentication procedure, only via the SSHv2 protocol.

        • Employees of mynet GmbH are only granted access to the servers for maintenance and support of the technical infrastructure after consultation with the administrative staff of IN-MANAS.

Database access: access to the MySQL database of the In-manas platform is only provided via the IN-MANAS intranet. Access to this web interface is granted to the IN-MANAS System Administration Team and the responsible developer of the platform.

  1. IN-MANAS internal systems:

    • Password procedure (with numbers, letters and minimum length). 

    • Deactivation of accounts for inactive employees before leaving the company


The following minimum design of the authorisation concept and the access rights as well as their monitoring and logging is given:

  • Access for the system administration team: The system administration team has full administrative access to the relevant server and database. After the start of the input of personal data (coinciding with the so-called "Go Live" of the In-manas platform), administrative access to the servers for system administrators of IN-MANAS is only allowed in case of emergency and after consultation with the respective project manager.

  • Access for the responsible developer: Until the "Go Live" of the platform, the responsible developer has access to the files of the web server, which is withdrawn after the start of the project. Access to the database remains, but is only permitted in an emergency and after consultation with the relevant project manager.

  • Access for the project manager: the project manager has access to the admin area of the platform for the entire duration of the project, which can also be deactivated after consultation.


  1. in-manas: Customer platform



The following measures during transport, transmission and transfer or storage on data carriers (manually or electronically) as well as during subsequent verification shall be taken as a minimum:

  1. in-manas: Customer platform

    • SSL encryption of all connections to in-manas, http requests are rewritten to https

    • Export of personal data is only possible for the administrator.

    • Logging of all essential behavioural elements see point 5 "Input control".


Encryption for updates: All data carriers that store personal data - in particular the data of the web server and the databases - are stored on AES256bit encrypted data carriers. Backups that are transferred to an external system for further protection are encrypted before transfer with a separate AES256bit key that is only used for the correspondingein-manas platform and transferred via a secure SSHv2 connection via SFTP.


The following measures for subsequent verification of whether and by whom data has been entered, changed or removed (deleted) are given as a minimum.


    • Logging of all relevant activities with time stamp and author e.g.

      • Login

      • Input, change ideas

      • Ratings (Quick / Detailed rating)

      • Visitors of ideas and profiles

      • Communication on the pinboard

    • No physical deletion of data, but by "flags



The following measures (technical / organisational) for the demarcation of competences between client and contractor are at least given.

  • IN-MANAS is offered technically and functionally as a standard product by IN-MANAS. All organisational measures within the scope of this standard are described for the customer within the scope of this contract and, upon request, beyond that before conclusion of the contract. With the written order, the customer agrees that no customer-specific adaptation of either a technical or data protection nature is provided for in the present model and that the documented requirements are suitable for the intended use.

  • All regulations regarding data protection are made in advance and to the same extent with all customers (standard). The terms and conditions shall apply which are defined in the written order by the customer and order confirmation between the customer and IN-MANAS. In case of updating of data protection or GTC due to technical or legal development IN-MANAS can provide an updated version. IN-MANAS will draw the customer's attention to this and indicate the changes. If the customer does not object within a review period of 4 weeks, the new terms and conditions shall be deemed accepted. Otherwise the existing conditions shall continue to apply.

  • The supplementary agreement on data protection including this annex shall apply as the contract regarding commissioned data processing.

Personal data shall be collected and processed by IN-MANAS exclusively to the extent necessary for the order. For control purposes, the customer receives regular reports on the collected data and its processing after consultation. For control by the customer, there is the possibility to transmit corresponding server logs to the customer.



The following data backup measures (physical / logical) are minimally in place:

  • All hard disks are backed up using RAID procedures

  • Backup - Scope:

  • Complete server backup (1x daily) (Backup A)

  • One daily full backup (full backups are kept for at least 14 days (Backup B))

  • Redundant network connection

  • Virus protection 

  • Uninterruptible power supply

  • All backups except the final backup are deleted after completion. All backups from backup A expire after seven days.

  • The following restore strategy is used in case of failure:

    • In case of failure: recovery from the daily backups (backup B)

    • Disaster recovery: Restore from the server backups (Backup A)

Furthermore, in order to protect the personal data from being otherwise destroyed, backups are carried out according to the following schedule:

  • All backups are unencrypted - but on an encrypted file system - on the server responsible for the IN-MANAS platform to ensure the fastest possible restore process.

  • An extra encrypted copy of the backups is stored on a separate storage area from the responsible server.

  • The entire server responsible for the IN-MANAS platform is backed up once a day. The technique used for this is so-called ZFS snapshots. (Backup A)

The servers of the In-manas platform are monitored 24/7 by a monitoring system. In the event of a failure, the responsible project manager and the IN-MANAS system administration team are informed of the failure by e-mail and SMS. The response times are based on the working hours of the responsible IN-MANAS System Administration Team (Mon-Fri 9am-6pm), unless otherwise agreed with the project manager.



The following separation measures are given as a minimum.

  • Separation into productive, test and development system

  • Use of test data for the development system

bottom of page