Data Processing Agreement

The Processor offers a hosted mobile cloud platform to grant AI native control of mobile devices to automate workflows, scrape data, and run QA ("Service") in accordance with Processor's General Terms and Conditions ("Main Agreement").

As part of the execution of the Main Agreement the Customer (as the data controller) provides the Processor with personal data ("Customer's Personal Data"), which the Processor will process on behalf of the Customer.

Where this DPA uses terms that are defined in the GDPR, those terms shall have the meaning ascribed to them in the GDPR.

All communications between the Parties may be conducted in text form, including but not limited to e-mail.

2.1. The Processor shall process Customer's Personal Data on behalf of and in accordance with the instructions of the Customer (processing on behalf). The Customer remains data controller.

2.2. The scope, manner, and purpose of the processing of Customer's Personal Data by the Processor are set out in the Main Agreement and in Annex 1 to this DPA; the processing relates to the types of Customer's Personal Data and categories of data subjects specified therein. The Customer's Personal Data does not include special categories of Customer's Personal Data within the meaning of Art. 9 para. 1 GDPR.

2.3. The Processor reserves the right to anonymize and to use the Customer's Personal Data for the purpose of needs-based designing, developing, and optimizing the Service in compliance with GDPR.

2.4. The Parties conclude this DPA to specify the mutual rights and obligations under the GDPR. In case of doubt, the provisions of this DPA shall take precedence over the provisions of the Main Agreement as far as the processing of Customer's Personal Data is concerned.

2.5. The processing of Customer's Personal Data by the Processor shall in principle take place within the European Union or another contracting state of the European Economic Area ("EEA"). The Processor is nevertheless permitted to process Customer's Personal Data in accordance with the provisions of this DPA outside the EEA if the Processor informs the Customer in advance about the place of processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3.1. The Customer, as data controller, is solely responsible for assessing the lawfulness of the processing of Customer's Personal Data and for safeguarding the rights of data subjects in the relationship between the Parties.

3.2. On request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Processor itself.

3.3. If the Processor is required to provide information to a governmental body or person on the processing of Customer's Personal Data or to cooperate with these bodies in any other way, the Customer is obliged at first request to assist the Processor in providing such information and in fulfilling other cooperation obligations.

4.1. The Processor may only process Customer's Personal Data within the framework of the Main Agreement, this DPA and in accordance with the instructions of the Customer. If the Processor is obliged to further processing of Customer's Personal Data by the law of the European Union or of the Member States which the Processor is subject to, the Processor shall inform the Customer about these legal requirements prior to processing, insofar as this is legally permitted.

4.2. The Customer's instructions are initially set out in the Main Agreement and this DPA and may subsequently be amended, supplemented, or replaced by the Customer in text form by specific instructions (individual instructions). The Customer is authorized to issue respective instructions at any time. This includes instructions regarding the rectification and erasure of Customer's Personal Data and the restriction of processing.

4.3. All instructions issued must be documented in text form by both the Customer and the Processor. Instructions that go beyond the service agreed in the Main Agreement are treated as a request for a change in service and are subject to the respective change management regime in the Main Agreement.

4.4. If the Processor is of the opinion that an instruction of the Customer violates this DPA or applicable data protection regulations, the Processor will inform the Customer immediately. The Processor is entitled to suspend the execution of the instruction in question until it is confirmed or changed by the Customer.

5.1. In its area of responsibility, the Processor will design its internal organization in a way that meets the special requirements of applicable data protection laws. The Processor is obliged to take appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing of Customer's Personal Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects in accordance with Art. 32 GDPR, in particular the measures listed in Annex 2, and to maintain them for the term of this DPA.

5.2. The technical and organizational measures may be adapted to future technological developments. The adapted measures must at least match the security level of the measures agreed to in Annex 2.

5.3. Individuals employed by the Processor are prohibited from processing Customer's Personal Data without authorization. The Processor shall oblige all individuals engaged with the processing of Customer's Personal Data and fulfillment of this DPA accordingly and instruct them about the special data protection obligations arising from this DPA and the existing instruction and purpose limitation. The Processor shall commit all such individuals engaged in processing Customer's Personal Data to confidentiality with respect to the processing of Customer's Personal Data.

6.1. The Processor shall support the Customer to the extent reasonable and necessary with suitable technical and organizational measures in fulfilling the Customer's obligations pursuant to Art. 12 to 22 GDPR against reimbursement of additional expenses and costs incurred by the Processor as a result of this.

6.2. If a data subject asserts rights, such as the right to information, correction, or deletion of their personal data, directly against the Processor, the Processor will not respond independently, but will in a timely manner refer the data subject to the Customer and await the Customer's instructions.

7.1. The Processor shall assist the Customer with suitable technical and organizational measures in fulfilling the Customer's obligations pursuant to Art. 32 GDPR taking into account the nature of processing and the information available to the processor.

7.2. Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security of Customer's Personal Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in its area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations on Customer's request to the extent reasonable and necessary in return for reimbursement of additional expenses and costs incurred by the Processor as a result thereof.

7.3. The Processor shall assist the Customer to the extent reasonable and necessary in return for reimbursement of additional expenses and costs incurred by the Processor as a result thereof with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.

8.1. The Processor shall provide the Customer, at the latter's request, with all information required and available to the Processor to prove compliance with its obligations under this DPA.

8.2. The Customer shall be entitled to audit the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures; including inspections.

8.3. The Customer shall only carry out inspections to the extent necessary and against reimbursement of additional costs and expenses. Any inspections shall not disproportionately disrupt the Processor's operational processes. After timely advanced notification according to Section 8.4 of this DPA, the Customer is – in order to carry out inspections – entitled to access the business premises of the Processor in which Customer's Personal Data is processed within the usual business hours (Mondays to Fridays from 9 a.m. to 6 p.m. CE(S)T)) at its own expense, without disruption of the course of business and under strict secrecy of the Processor's business and trade secrets.

8.4. The Customer shall inform the Processor at least two weeks in advance of all circumstances in relation to the performance of the audit. The Customer may carry out one audit per calendar year. This rule does not apply to audits following a security incident meeting the requirements of Art. 33 GDPR or Art. 34 GDPR.

8.5. The Processor is entitled, at its own discretion and taking into account the legal obligations of the Customer, not to disclose information which are sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to gain access to data or information about the Processor's other customers, cost information, quality control and contract management reports, or any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.

8.6. If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing the same way as the Customer is obliged vis-à-vis the Processor according to this Section of the DPA. In addition, the Customer shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Processor the Customer shall immediately submit a copy of the commitment agreement with the third party to the Processor. The Customer may not commission any of the Processor's competitors to carry out the audit.

8.7. The Customer shall document the results of the audits carried out or commissioned by the Customer and inform the Processor about their outcome. In the event of errors or irregularities that the Customer discovers during the audit, the Customer must inform the Processor immediately. If facts are discovered during the review which require changes to the ordered procedure in order to avoid such facts in the future, the Customer shall inform the Processor immediately of the necessary procedural changes.

8.8. At the discretion of the Processor, proof of compliance with the obligations under this DPA may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g., auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g., according to BSI-Grundschutz, if the audit report makes it possible for the Customer in an appropriate manner to convince itself about compliance with the contractual obligations, unless otherwise provided by applicable statutory laws.

9.1. The Customer grants the Processor general authorization to engage further subprocessors with regard to the processing of Customer's Personal Data. The subprocessors listed in Annex 3 are authorized by the Customer. The Processor is authorized to establish further subcontracting relationships with subprocessors within the scope of its contractual obligations. The Processor is obliged to carefully select subprocessors according to their suitability and reliability.

9.2. The Processor shall notify the Customer of any intended changes in relation to the consultation or replacement of subprocessors. In individual cases, the Customer has the right to object to the engagement of a potential subprocessor. An objection may only be raised by the Customer for important reasons which have to be further clarified. Insofar as the Customer does not object in text form within 14 calendar days after receipt of the notification, its right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Main Agreement and this DPA with a notice period of three months.

9.3. The agreement between the Processor and the further subprocessor must impose the same obligations on the latter as those incumbent upon the Processor under this DPA. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this DPA.

9.4. Subject to compliance with the requirements of Section 2.5 of this DPA, the provisions of this Section shall also apply if a further subprocessor in a third country is involved. The Parties agree that in such case the requirements of Section 9.3 above are met if the applicable EU standard contractual clauses for the transfer of personal data to third countries are concluded with the further processor in the third country. The Customer declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

9.5. The commissioning of third parties with services that are to be regarded as purely ancillary services by the Processor does not constitute a subprocessor relationship within the meaning of these provisions. This includes, for example, postal, transport and dispatch services, cleaning services, telecommunications services without specific reference to services that the Processor provides for the Customer and security services as well as other measures to ensure the confidentiality, availability, integrity and load capacity of the hardware and software of data processing systems. The Processor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.

10.1. The limitations of liability of the Main Agreement shall apply.

10.2. As far as third parties assert claims against the Processor which are caused by the Customer's culpable breach of this DPA or one of its obligations as the controller in terms of the GDPR, the Customer shall indemnify and hold the Processor harmless from these claims.

10.3. The Customer undertakes to indemnify the Processor against all possible fines imposed on the Processor corresponding to the Customer's part of responsibility for the infringement sanctioned by the fine.

11.1. The term of this DPA is based on the term of the Main Agreement unless circumstances of this DPA require otherwise.

11.2. The termination of this DPA shall be governed by the respective provisions of the Main Agreement. A termination of the Main Agreement automatically results in a cancellation of this DPA. An isolated termination of this DPA is excluded.

13.1. In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

13.2. The exclusive place of jurisdiction for all disputes arising from or in connection with the DPA is Osnabrück. The Processor is also entitled to sue at the Customer's place of business or another competent court.

13.3. The law of the Federal Republic of Germany is applicable.