Data processing agreement.

Our data processing.

everstox GmbH, Ganghoferstr. 68b, 80339 Munich, Germany (“​everstox​”) operates the digital platform https://everstox.com, an online portal for procurement, consulting and software solutions for warehousing, fulfillment, shipping and associated logistics services (“​Platform​”).

The following Data Processing agreements (“DPA​”) shall apply to the use of the Platform by Merchants and Logistics Providers.

everstox, Merchant and/or Logistics Provider may each be referred to as a “Party​” or collectively as “​the Parties​”.

Data processing agreement (“DPA”)

Between

Referring to the party that the commercial offer is addressed to (hereinafter called “Controller”, within the meaning of Art. 4 No. 7 GDPR)

And

Everstox ( hereinafter referred to as the “Processor / Contractor within the meaning of Art. 4 No. 8 GDPR)

(each a “Party” and collectively the “Parties”)

1. Subject matter and duration of the Order or contract

The Subject matter of the Order or Contract results from the Software Service Agreement, which is referred herein as Principal Agreement. This Agreement (in the following also the or this “Agreement” or “Contract”) is legally independent and shall have the same legal fate as the Principal Agreement; the termination of the Principal Agreement shall result in the automatic termination of this Agreement. The contractual parties are aware that any data processing may not be accomplished without a valid data processing agreement. An isolated termination of this agreement shall not be admissible.

2. Specification of the content

2.1 Type of processing 

As part of the order, personal data will be organised/structured, stored, read, used, disclosed, aligned, linked or deleted

2.2 Purpose of the processing

Data are processed for the following purpose: 

• Enable the control, management, optimization, and execution of fulfillment and shipping orders

2.3 Location of the processing

The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the EU or within a Member State of the EEA. Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the documented approval of the Client and shall only occur if the specific Conditions of Articles 44 et seq. GDPR have been fulfilled.

2.4 Type of data

The following types/categories of personal data are processed:

• Personal master data
• Contact/communication data (e.g., telephone, email)
• Contract master data

2.5 Data subject categories

The categories of data subjects include:

• Customers of the controller
• Employees of the controller
• Suppliers of the controller
• Warehouse logistics and shipping service providers of the controller

3 Technical and organisational measures

1. Before starting the processing, particularly with regard to the performance of the specific order, the Contractor shall document the implementation of the necessary technical and organisational measures that were set out before the order was assigned, and pass these on to the Controller to be reviewed. Upon acceptance by the Controller, the documented measures shall form the basis of the order. If changes are required following the review or an audit by the Controller, these shall be implemented by mutual agreement.
2. The Contractor shall ensure the security pursuant Art. 28 (3)(c) and (e) sub-clause 1, Art. 32 GDPR, particularly in conjunction with Art. 5 (1) and (2) GDPR. The measures to be taken are measures to secure data and ensure an appropriate level of security for the risk with regard to the confidentiality, integrity, availability and resilience of the systems and services. The state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, within the meaning of Art. 32(1) GDPR, are to be taken into account [details in Annex 1].
3. The technical and organisational measures are subject to technical advances and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the defined measures must be maintained. Significant changes shall be documented.

4 Quality assurance and other obligations of the Contractor pursuant to Art. 28 (3)(1) GDPR

In addition to compliance with the regulations of this order, the Contractor also has legal obligations as a processor; therefore, the Contractor shall ensure compliance with the following requirements:

1. Where required by law, the Contractor shall appoint a competent and reliable person as a data protection officer, who shall perform the duties pursuant to Art. 38 and 39 GDPR. The contact information of the appointed data protection officer shall be provided to the Controller for the purposes of establishing direct contact. If the Contractor is not obligated to appoint a data protection officer, a point of contact for data protection matters shall be appointed, the contact information of whom shall be provided to the Controller for the purposes of establishing direct contact. The Controller shall be notified without undue delay of any change in data protection officer or point of contact. 
2. Pursuant to Art. 28(3)(2)(b) GDPR, the Contractor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have been made aware of the data protection provisions that are relevant to them beforehand.
3. The Contractor and any person acting under the authority of the Contractor who has access to personal data shall not process those data except on instructions (Art. 29, 32(4) GDPR) from the Controller, including the authority granted under this Contract, unless required to do so by law.
4. The Contractor shall ensure the implementation of and compliance with all technical and organisational measures required for this order pursuant to Art. 28(3)(2)(c), Art. 32 (GDPR) [details in Annex 1].
5. The Controller and the Contractor (and, where applicable, their representatives) shall cooperate, on request, with the supervisory authority in the performance of its tasks (Art. 31 GDPR).
6. The Contractor undertakes to inform the Controller immediately of supervisory inspections and measures to the extent that they apply to this order. This also applies if a responsible authority conducts an investigation of the Contractor as part of an administrative offence or criminal proceedings with regard to the processing of personal data.
7. If the Controller is subject to monitoring by the supervisory authority, an administrative offence or criminal proceedings, a liability claim of a data subject or a third party or another claim relating to the processing by the Contractor, the Contractor shall support the Controller to the best of its ability.
8. The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the data for which it is responsible are processed in line with the requirements of applicable data protection law, and the rights of the data subject are protected.
9. The Contractor shall ensure that it can demonstrate the agreed technical and organisational measures to the Controller as part of its monitoring rights in accordance with § 6 of this Contract.

5 Sub-contracting in accordance with Art. 28(3)(2)(d) GDPR in conjunction with Art. 28(2) and (4) GDPR

1. Sub-contracting services are services that relate directly to the provision of the main service. Services that the Contractor uses purely as ancillary services from third parties in order to perform their business activity are not considered sub-contracting. These include, for example, cleaning services, pure telecommunications services with no specific relation to services provided by the Contractor for the Controller, postal and courier services, transport services or security services. The Contractor is also obligated, including for additional services provided by third parties, to ensure that appropriate precautions and technical and organisational measures have been agreed in order to ensure the protection of personal data. The maintenance and upkeep of IT systems or applications is considered sub-contracting that requires approval and processing within the meaning of Art. 28 GDPR if the maintenance and inspection relates to systems that are used in connection with providing services for the Controller, and personal data that are processed on behalf of the Controller can be accessed during the maintenance.
2. In line with the regulation of Art. 28(2)(1) GDPR, the Contractor shall not use other processors (sub-contractors, sub-sub-contractors) without the prior separate or general written consent of the Controller; the sub-contracting provisions apply (accordingly) to both the sub-contractor as well as to all other engaged (sub-)sub-contractors.
3. The Controller hereby consents to the commissioning of the following subcontractors:

Company	Address / Country	(partial-) service
Amazon Web Services, Inc.  (AWS)	410 Terry Avenue Nord Seattle WA 98109 Vereinigte Staaten	Server hosting
Cloudflare Deutschland GmbH	Rosental 7, c/o Mindspace, 80331 München Deutschland	DDoS protection of production servers

1. The Controller hereby generally approves the commissioning of further processors (sub-contractors) by the Contractor. The Contractor shall notify the Controller of intended changes regarding the involvement or replacement of other processors. The Controller is entitled in individual cases to object to the commissioning of a further potential processor in written or text form. An objection may only be raised by the Controller for good cause to be proven to the Contractor. If the Controller does not raise an objection within 14 days of receipt of the notification, its right of objection with regard to the corresponding order shall expire. If the Controller refuses consent through its objection for other than important reasons, the Contractor may terminate this contract as well as the main contract, if applicable, at the time of the planned use of the subcontractor.
2. The Controller’s personal data may only be transmitted to the sub-contractor, and using said sub-contractor for the first time, if all conditions for sub-contracting have been met. In particular, the Contractor is responsible for transferring its data protection obligations set out in this Contract in accordance with Art. 28(4)(1) GDPR to the other processor.
3. If the sub-contractor provides the agreed service outside the EU/EEA, the Contractor shall take appropriate measures to ensure the admissibility under data protection law in accordance with Art. 44 et seqq. GDPR. The same shall apply if service providers within the meaning of paragraph 1, sentence 2 are to be used. The Contractor has included in the contract with third country subcontractors the EU standard contractual clauses for the transfer of personal data in accordance with Commission Implementing Decision (EU) 2021/914 of June 4, 2021.
4. The Contractor shall provide the Customer with information on the essential content of the contract (services excluding prices) and the implementation of the data protection-relevant obligations of the respective subcontractor upon the latter’s written request (text form sufficient).  
5. Any further outsourcing by the subcontractor shall require the prior express consent of the main contractor (at least in text form); all contractual provisions in the contractual chain shall also be imposed on the further subcontractor.

6 Monitoring rights of the Controller pursuant to Art. 28(3)(2)(h) GDPR

1. In consultation with the Contractor, the Controller has the right to conduct audits or to have audits conducted by auditors to be appointed in each case; these auditors must not be competitors of the Contractor. The Controller has the right to make sure that the Contractor is complying with the provisions of this Contract in its business operations by conducting random inspections; the Contractor shall be notified of such inspections in good time.
2. The Contractor shall ensure that the Controller can be convinced of the Contractor’s compliance with its obligations in accordance with Art. 28 GDPR. The Contractor undertakes to issue the necessary information to the Controller on request and particularly to demonstrate the implementation of the technical and organisational measures.
3. Such measures that do not relate solely to the specific order may be demonstrated by

• compliance with the approved code of conduct pursuant to Art. 40 GDPR;
• certification in accordance with an approved certification mechanism pursuant to Art. 42 GDPR;
• current certificates, reports, or excerpts of reports by independent authorities (e.g. auditors, auditing department, data protection officer, IT security department, data protection auditors, quality auditors) and/or
• suitable certification by an IT security or data protection audit (e.g. in accordance with the BSI basic protection).

7 Support and notification obligations of the Contractor pursuant to Art. 28(3)(2)(e) and (f) GDPR – Duty to notify of data breaches

1. The Controller is responsible for safeguarding the rights of the data subject. Taking into account the nature of the processing, the Contractor is obliged to assist the Controller by suitable technical and organisational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR; this means responding to requests from data subjects with regard to the Controller’s duties to provide information to the data subjects, their right of access, right to rectification, erasure, restriction of processing, data portability, as well as related notification obligations of the Controller, the right to object or to automated decision-making including profiling, if the data subject asserts such rights. If the data subject contacts the Contractor directly in order to assert a right, the Contactor shall pass on the data subject’s requests immediately to the Controller.
2. The Contractor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Contractor; this means the fulfillment of the Controller’s legal obligations to secure data, report data breaches to the supervisory authorities and the data subjects, carry out data protection impact assessments as well as consult with the responsible supervisory authority beforehand if necessary as part of the data protection impact assessment. The Contractor and the Controller shall cooperate, on request, with the responsible supervisory authority in the performance of its tasks.

8 The Controller’s authority to issue instructions

1. The Contractor processes personal data only within the scope of the agreements made and on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Contractor is subject (Art. 28(3)(3)(a) GDPR, Art. 29 GDPR). 2In such a case, the Contractor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2. The Contractor shall ensure that data are processed in accordance with the Controller’s instructions. If the Contractor is of the opinion that an instruction issued by the Controller violates this Contract or applicable data protection law, the Contractor shall immediately inform the Controller thereof; after informing the Controller, the Contractor is entitled to suspend performance of the instruction until the instruction has been confirmed or amended by the Controller. The Parties agree that the Controller is solely responsible for the processing performed in accordance with the instruction.
3. The Controller’s instructions are issued in written or text form. If necessary, the Controller may issue instructions verbally (by phone). The Controller shall confirm instructions issued verbally or by phone without undue delay in written or text form.

9 Erasure and return of personal data pursuant to Art. 28(3)(2)(g) GDPR

1. Copies or duplicates of data shall not be created without the Controller’s knowledge. This excludes backup copies, provided these are necessary to ensure proper data processing, as well as data that are required in order to comply with statutory storage obligations.
2. After completion of the contractually agreed work or earlier at the Controller’s request, but no later than at the end of the service agreement, the Contractor shall return to the Controller all documents in its possession, created results of processing and use, as well as data files relating to the order, or to destroy these in accordance with data protection requirements after obtaining the Controller’s prior consent. The same applies to test and scrap material. The record of the erasure shall be presented on request.
3. Documentation that serves to demonstrate proper data processing in accordance with the order shall be stored by the Contractor beyond the end of the Contract in accordance with the respective retention periods. It may be handed over to the Controller at the end of the Contract.

10 Liability

1. The Contractor’s liability under this agreement shall be governed by the disclaimers and limitations of liability provided for in the Software Service Agreement. As far as third parties assert claims against the Contractor which are caused by the Controller´s culpable breach of this agreement or one of his obligations as the controller in terms of data protection law affecting him, the Controller shall upon first request indemnify and hold the Contractor harmless from these claims.
2. The Controller undertakes to indemnify the Contractor upon first request against all possible fines imposed on the Contractor corresponding to the Controller´s part of responsibility for the infringement sanctioned by the fine.

11 Other provisions

1. Both Parties are obliged to keep confidential all knowledge of business secrets and data security measures of the other Party obtained during the contractual relationship, including after termination of the Contract. If there is any doubt about whether information is subject to confidentiality, it is to be treated as confidential until it has been released by the other Party in writing.
2. If the property of the Controller at the Contractor is at risk due to third-party measures (such as attachment or seizure), insolvency or similar proceedings, or other events, the Contractor shall notify the Controller without undue delay.
3. The written form is required for ancillary agreements. This applies equally to waiving this written form requirement.
4. The defence of the right of retention, regardless of the legal reason, shall be excluded with regard to the data processed on behalf of the Controller and the data carrier used.
5. This Contract shall also apply if and to the extent authorities or courts accept a joint controller agreement between the Parties in accordance with Art. 26 GDPR.
6. If individual provisions of this Contract prove to be invalid or unenforceable, either in whole or in part, or become invalid or unenforceable as a result of changes to legislation after entering into the Contract, this shall not affect the remaining provisions of the Contract or the validity of the Contract as a whole. The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that comes as close as possible to the intent and purpose of the invalid provision. If the Contract contains loopholes, the provisions shall be considered agreed that meet the intent and purpose of the Contract and would have been agreed if the Parties had considered the loophole.
7. The Contract will be governed solely by the law of the Federal Republic of Germany, excluding its provisions on the conflict of laws.
8. The exclusive place of jurisdiction for all disputes arising out of or in connection with this Contract is the registered office of the Contractor.