1. PREAMBLE
   1. This agreement is the legal basis for the processing of personal data provided by the controller to the processor in accordance with Article 28 (3) of the General Data Protection Regulation (“GDPR”).
2. SUBJECT MATTER AND DURATION OF PROCESSING
   1. The subject of this order is the performance of the following tasks by the processor for the person responsible: Licensing and operation of the in-manas software solution in accordance with the license agreement concluded between the person responsible and the processor.
   2. This agreement is concluded for the duration of the license agreement between the parties in accordance with point 2.1. It therefore automatically ends at the time when the license agreement in accordance with Section 2.1 ends.
3. NATURE AND PURPOSE OF PROCESSING
   1. The data provided by the person responsible is processed automatically and manually. The processing is carried out by the processor for the purpose of providing the technical and content of the services provided for in the license agreement in accordance with point 2.1. Against this background, the purpose and scope of processing can be summarized as follows:
      1. The purpose of the software licensed by the processor is to collect ideas from natural persons (typically employees), to discuss, summarize and evaluate them. The exact purpose is presented by the person responsible before inviting the first participants in accordance with operational agreements and is visible to all participants on the platform. Participation conditions that can be edited by yourself and are accessible to all participants are available.
      2. The scope of collection and processing is limited to the named persons in the closed platform. Processing includes displaying this data on screen and on data exports for platform administrators and sending emails to platform users.
   2. In principle, the data processing provided for in this Agreement should only be carried out in a member state of the European Union or in a member state of the European Economic Area.
   3. Any transfer of data to a state that is not a member of the European Union or the European Economic Area may only be carried out if (i) this has been expressly agreed between the parties or has otherwise been approved by the person responsible and (ii) the requirements of Art 44 ff GDPR are met. In this case, the processor will inform the person responsible in writing how an adequate level of data protection to enable data transfer is ensured in the relevant state.
4. TYPE OF PERSONAL DATA
   1. The person responsible provides the following personal data for order processing in accordance with this agreement:
      1. Personal master data and communication data (name, e-mail address).
      2. Data relating to submitted ideas, comments and reviews of ideas; questions and answers from surveys
      3. Contract master data, contract billing and payment data for the person responsible.
5. CATEGORIES OF AFFECTED PERSONS
   1. The person responsible declares that:
      1. employees and employees of the person responsible;
      2. customers, interested parties, suppliers, sales representatives, contacts;
      3. sublicensees of the person responsible and the employees and employees of such sublicensees;
6. RESPONSIBILITIES OF THE PERSON RESPONSIBLE
   1. Order processing under this Agreement includes the following categories of data subjects:
      1. the processing of personal data provided to the processor, including their provision to the processor, has been carried out and continues to be carried out in accordance with the relevant provisions of applicable legislation (in particular data protection law and employment law);
      2. he has instructed the processor and will instruct the processor throughout the duration of the data processing services to process the personal data provided only on behalf of the controller and in accordance with applicable legislation;
      3. he will immediately and completely inform the processor if he finds errors and irregularities in the order results with regard to data protection regulations;
      4. it fulfills its obligations to data subjects under the applicable legal situation
7. PROCESSING SAFETY
   1. Within its area of responsibility, the processor must take and describe technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR.
   2. The necessary measures currently implemented by the processor to ensure security of processing in accordance with Article 32 GDPR are described in Appendix ./1.
   3. The technical and organizational measures are subject to technical progress and development. The processor is entitled to implement alternative adequate measures, provided that the security level of the specified measures does not fall below the level of security.
8. OBLIGATIONS OF THE ORDER PROCESSOR
   1. The processor will only process the personal data on documented instructions from the controller — including with regard to the transfer of personal data to a third country or an international organization — unless he is required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of these legal requirements before processing, provided that the relevant law does not provide such notification due to prohibits an important public interest.
   2. The processor ensures that the processor's persons authorized to process the personal data are bound to confidentiality or are subject to an appropriate legal obligation of confidentiality and process the personal data in accordance with Article 32 (4) GDPR only on the instructions of the person responsible, unless they are required to process them under Union or Member State law.
   3. At the request of the person responsible, in accordance with Article 28 (3) (f) GDPR, the processor will participate in preparing a data protection impact assessment and, where appropriate, in prior consultation with supervisory authorities. At the request of the person responsible, the processor will participate in the preparation and update of the list of processing activities of the person responsible, insofar as the documentation of the technical and measures is concerned.
   4. The processor ensures that, wherever possible, it supports the person responsible with appropriate technical and organizational measures to comply with its obligation to respond to requests for the exercise of the data subject's rights set out in Chapter III GDPR. If a data subject contacts the processor by asserting one of the rights set out in Chapter III GDPR, the processor will refer the data subject to the controller, provided that an assignment to the controller is possible according to the data subject. The processor is not liable if the data subject's request is not answered correctly or in due time by the person responsible.
   5. The processor will assist the person responsible in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to it.
   6. The contract processor constantly monitors its data processing processes and systems with regard to compliance with data protection requirements and documents the control. On request, the processor will provide the controller with the documentation as proof of sufficient guarantees.
   7. The processor shall inform the person responsible if there is a suspicion of a personal data breach and about control acts and measures taken by the supervisory authority. The processor is aware that the person responsible is obliged to comprehensively document all breaches of personal data protection and, if necessary, to report them to the supervisory authorities or the data subject within 72 hours. In this case, the processor will assist the person responsible in complying with its reporting obligations and, in particular, provide the information specified in Article 33 (3) GDPR.
   8. The processor will — at the option of the person responsible — either delete or return the personal data provided and the works developed from it after termination of the contract concluded in accordance with point 2.1, unless there is an obligation to store them under Union law or the law of the member states.
   9. If the legal requirements are met, the processor must appoint a data protection officer and inform the person responsible. Any change of data protection officer and contact person for information security issues of the order processor must be notified immediately in writing to the person responsible.
   10. The processor will provide the controller with all necessary information to demonstrate compliance with the obligations set out in this Article and will enable and contribute to checks — including inspections — carried out by the controller or by another auditor appointed by the controller.
   11. The data is handled exclusively within the framework of the agreements made and in accordance with the instructions of the person responsible. Within the scope of the instructions, the standards agreed contractually as part of the order placement, including user documentation and the terms and conditions of the order processor, apply. The processor must immediately inform the person responsible if he believes that an instruction from the person responsible violates data protection regulations of the Union or the Member States. However, the mere acceptance of an instruction by the processor does not constitute an assessment of whether or not it violates data protection regulations. The processor is entitled to suspend compliance with instructions until they have been confirmed or amended again by the person responsible.
9. CONTROL RIGHTS OF THE PERSON RESPONSIBLE
   1. The person responsible has the right to carry out checks in consultation with the processor or to have them carried out by an auditor to be appointed in individual cases. Should inspections by the person responsible or an inspector commissioned by the person responsible be required in individual cases, these will be carried out during normal business hours without disrupting business processes after notification, taking into account a reasonable lead time. The processor may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organizational measures put in place. Should the inspector appointed by the person responsible be in a competitive relationship with the processor, the processor has a right of appeal against the processor.
   2. The contractor ensures that the client is satisfied that the contractor's obligations under Article 28 GDPR are being met. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.
   3. Evidence of such measures, which relate not only to the specific order, can be provided by
      1. compliance with approved codes of conduct in accordance with Art 40 GDPR;
      2. certification in accordance with an approved certification process in accordance with Art 42 GDPR;
      3. current certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officer, IT security department, data protection auditors, quality auditors);
      4. an appropriate certification through an IT security or data protection audit.
   4. To enable checks by the person responsible, the processor can assert a claim for compensation.
10. SUB-PROCESSOR
    1. The processor may use sub-processors to perform its processing activities, but this is subject to compliance with the provisions of the GDPR (in particular Article 28 (2) and (4) GDPR).
    2. By means of a contract or other legal instrument under Union law or the law of the Member State concerned, the same data protection obligations as set out in this contract shall be imposed on the sub-processor, in particular providing sufficient guarantees that the appropriate technical and organisational measures are carried out in such a way that processing is carried out in accordance with the requirements of this Regulation.
    3. The processor currently uses the following sub-processors:

name

• ​

• ​

Mynet GmbH

Bruggfeldstrasse 5, 6500 Landeck

server maintenance

1. By concluding this agreement, the person responsible confirms that it does not object to the sub-processors listed in Section 10.3.
2. In accordance with Article 28 (2) GDPR, the person responsible has the right to object to a change relating to the addition or replacement of sub-processors. For this purpose, the processor will be informed of this fact to the person responsible at least 30 days before a new sub-processor is used. An appeal must be filed within 10 working days.

1. LIABILITY
   1. Responsible person and processor are externally liable in accordance with Article 82 (1) GDPR for material and immaterial damage suffered by a person as a result of a violation of the GDPR. If both the person responsible and the processor are responsible for such damage in accordance with Article 82 (2) GDPR, the parties are internally liable for this damage in accordance with their share of responsibility. In such a case, if a person claims compensation in whole or in part from one party, the other party may demand indemnification or indemnification from the other party, insofar as this corresponds to their share of responsibility.
2. GENERAL PROVISIONS
   1. This agreement includes all agreements between the parties with regard to the subject matter of the contract. There are no oral or written agreements outside the agreement. At the start of the contract, this agreement replaces and terminates all previous oral and written agreements between the parties with regard to the subject matter of the contract.
   2. Additional agreements or amendments to this agreement — including this written form clause — must be made in writing.
   3. References to laws, regulations, documents and annexes apply, unless otherwise expressly stated, to the laws, regulations, documents and annexes in their current version, i.e. including any changes after the date of the contract.
   4. The law of the Republic of Austria applies to this framework agreement, excluding the UN Sales Convention (CISG). The international place of jurisdiction is Austria. The local place of jurisdiction is the registered office of the order processor.
   5. Should individual provisions of this agreement be or become invalid or unenforceable, this shall not affect the effectiveness of the remaining parts. In such a case, the parties agree to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally admissible manner. The same applies to regulatory gaps.

​

Date and signature in accordance with offer and order confirmation

• ​

Date and signature in accordance with offer and order confirmation

• ​

​

ANNEX 1 — GENERAL TECHNICAL AND ORGANIZATIONAL MEASURES

The in-manas system itself is developed at IN-MANAS in the company building and, after testing with artificially generated data on internal servers, is imported into the environment in the data center. Production system (data center), test system (data center) and development system (IN-MANAS) are operated separately. An update is usually carried out gradually.

1. ACCESS CONTROL
   1. The virtualized server infrastructure is provided by Hall AG (H Augasse 6, 6060 Hall in Tyrol). The data center meets international guidelines for IT security. Access to the data center is only possible for Hall AG customers under supervision. During the visit, an official identity document must be left at the reception.
2. IN-MANAS ACCESS CONTROL: CUSTOMER PLATFORM
   1. CUSTOMER PLATFORM (IN-MANAS.COM)
      1. The platform has access controls that can be set up by the administrator himself.
      2. Password security based on complexity as usual in industry
      3. Session — timeout/automatic — logout control
      4. Securing traffic over HTTPS
   2. IN-MANAS SERVER IN THE DATA CENTER (LIVE & TEST)
      1. Only IN-MANAS system administrators responsible for the project have administrative access to the servers. System administrators can only access it in the following way:
         • About the IN-MANAS intranet: with a 1-factor authentication process, only via the SSHv2 protocol
           • Access to the IN-MANAS intranet is only available from the IN-MANAS office: Bienerstraße 4.
           • Or via a VPN connection to the IN-MANAS office network, which is reserved for IN-MANAS system administrators
         • Over the Internet: with a 2-factor authentication process, only via the SSHv2 protocol
         • Employees of mynet GmbH only have access to the servers for maintenance and support of the technical infrastructure after consultation with IN-MANAS administrative staff.

Database access: Access to the in-Manas platform's MySQL database is only provided via the In-Manas Intranet. The IN-MANAS system administration team and the responsible developer of the platform have access to this web interface.

1. IN-MANAS internal systems:
   • password procedure (with numbers, letters and minimum length)
   • Deactivation of accounts for inactive employees before leaving the company
2. ACCESS CONTROL

At least the following structure of the authorization concept and access rights as well as their monitoring and logging is provided:

• Access for the system administration team: The system administration team has full administrative access to the responsible server and database. After the start of entering personal data (at the same time as the so-called “Go Live” of the IN-manas platform), administrative access to the IN-MANAS system administrators is only permitted in an emergency and after consultation with the appropriate project manager.
• Access for the responsible developer: Until the platform goes live, the responsible developer has access to the web server's files, which are withdrawn from him after the start of the project. Access to the database remains available, but is only permitted in an emergency and after consultation with the appropriate project manager.
• Access for the project manager: The project manager has access to the admin area of the platform for the entire duration, which can also be deactivated after consultation.

1. in-manas: customer platform
2. IN-MANAS INTERNAL SYSTEMS, TEST AND PRODUCTION SYSTEMS

1. TRANSFER CONTROL

At a minimum, the following measures are taken when transporting, transmitting or storing on data carriers (manually or electronically) and during subsequent verification:

1. in-manas: customer platform
   • SSL encryption of all connections to in-manas, http requests are rewritten to https
   • The export of personal data is only possible for the administrator.
   • Logging of all essential behavioral elements see point 5 “Input control”
2. IN-MANAS INTERNAL SYSTEMS, TEST AND PRODUCTION SYSTEMS

Encryption during updates: All data carriers that store personal data — in particular the data from the web server and the databases — are stored on AES256bit encrypted data carriers. Backups that are transferred to a third-party system for further backup are encrypted before transfer with a separate AES256bit key, which is only used for the corresponding one-manas platform, and transferred via SFTP via a secure SSHv2 connection

1. INPUT CONTROL

The following measures to subsequently check whether and by whom data has been entered, changed or removed (deleted) are at least in place.

1. IN-MANAS: CUSTOMER PLATFORM
   • Logging of all relevant activities with time stamp and author, e.g.
     • Login
     • Entering, changing ideas
     • Reviews (Quick/Detailed Review)
     • Visitors to ideas and profiles
     • Communication on the bulletin board
   • No physical deletion of data, but via “flags”

1. ORDER CONTROL

At least the following measures (technical/organizational) to differentiate competencies between client and contractor are in place.

• IN-MANAS is offered technically and functionally by IN-MANAS as a standard product. All organizational measures within the framework of this standard are described for the client within the framework of this contract and, upon request, before the conclusion of the contract. By placing a written order, the customer agrees that the present model does not provide for any customer-specific adjustment, neither technical nor data protection law, and that the documented requirements are suitable for the intended use.
• All regulations regarding data protection are made in advance and with all customers to the same extent (standard). The conditions set out in the written order by the customer and order confirmation between the client and IN-MANAS apply. If data protection or terms and conditions are updated due to technical or legal developments, IN-MANAS may provide an updated version. IN-MANAS will draw the customer's attention to this and identify the changes. If the latter does not file an objection within a review period of 4 weeks, the new conditions are considered accepted. Otherwise, the existing ones will continue to exist.
• The supplementary data protection agreement, including this appendix, is considered to be a contract with regard to order data processing

IN-MANAS collects and processes personal data exclusively to the extent necessary for the order. For control purposes, the customer receives regular reports on the collected data and its processing by appointment. For control by the client, it is possible to transmit appropriate server logs to the client.

1. AVAILABILITY CONTROL

The following data backup measures (physical/logical) are minimally available:

• All hard drives are backed up using RAID methods
• Backup — Scope:
• Complete server backup (once a day) (backup A)
• A daily full backup (full backups are kept for at least 14 days (backup B)
• Redundant network connection
• virus protection
• Uninterruptible power supply
• All backups except the final backup are deleted after completion. All backups from Backup A expire after seven days.
• The following restore strategy is used in case of failure:
  • In case of an error: restore from daily backups (backup B)
  • Disaster recovery: recovery from server backups (backup A)

In addition, in order to protect personal data from other destruction, backups are carried out according to the following plan:

• All backups are unencrypted — but on an encrypted file system — on the server responsible for the IN-MANAS platform to ensure the fastest possible restore process.
• An extra encrypted copy of the backups is stored in a separate storage area from the responsible server.
• The entire server responsible for the IN-MANAS platform is backed up once a day. The technology used is so-called ZFS Snapshots. (Backup A)

The servers of the IN-manas platform are monitored 24/7 by a monitoring system. In the event of an outage, the responsible project manager and the IN-MANAS system administration team will be notified of the failure by e-mail as well as via SMS. The response times are the working hours of the responsible IN-MANAS system administration team (Mon-Fr. 9 a.m. to 6 p.m.), unless otherwise agreed with the project manager.

1. SEPARATION CONTROL

At least the following separation measures are in place.

• Separation into production, test and development systems
• Using test data for the development system

‍