in accordance with Art. 28 GDPR

For the tasks to be performed by the contractor under § 1 - hereinafter referred to as the “service agreement” -

betweenthe PublishElite user - hereinafter referred to as the “data controller” -and

Driven Solutions AB, Baldershovsvägen 5C, 85643 Sundsvall, Sweden- hereinafter referred to as the “data processor” -- both hereinafter jointly referred to as the “contracting parties” or “parties” - 

the following agreement on data processing is concluded:

Preamble 

With the service agreement, the contracting parties have entered into a contract processing relationship. In order to substantiate the rights and obligations arising from this in accordance with the provisions of the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – GDPR) the contracting parties conclude the following agreement. 

§ 1 Scope of application and subject matter of the processing

The agreement applies to the collection, processing and deletion (hereinafter: processing) of all personal data (hereinafter: data) for the following services:

Provision of CRM software as software-as-a-service

The data of employees of the data processor do not fall within the scope of the application of the agreement, provided that they relate exclusively to the employment relationship with the data processor.

§ 2 Duration and specification of the contract content 

(1) The duration of the processing of the data results from the existing business relationship between the data controller and the data processor. The processing ends if the client has the processing stopped or the business relationship is terminated.

(2) Notwithstanding the preceding paragraph, the contract shall apply for as long as the data processor processes the data controller's data (including backups).

(3) In the event of a conflict between this agreement and the provisions of related agreements that exist between the parties or that are entered into or concluded later, this agreement shall take precedence.

(4) The scope, nature and purpose of the data processed by the data processor for the data controller can be described as follows: 

As part of the provision of the CRM software GoHighLevel for online marketing in the form of software as a service (SaaS), personal data of the client's customers is processed. This includes, among other things, names, addresses, contact details, purchasing behavior and other relevant information that may be relevant in the context of online marketing.

(5) The following data types or categories are subject to processing by the data processor:: 

Basic information: name, address, telephone number, email addressDemographic data: gender, age, occupation, educationOnline identifiers: cookies, IP address, device ID

Behavioral data: websites visited, click behavior, duration of website visit, interaction with content and advertisingTransaction data: purchase history, type and number of products purchased, time and place of purchase

Communication data: email communication, chat history, customer ratings and feedback

Social media and external platforms: likes and shares, comments, profile information from social networks if used for marketing purposes

Geo-localization data: user location based on IP address, GPS or other technologiesTechnical data: operating system, browser type and version, screen resolutionPreferences and interests: product interests, topic preferences, newsletter subscriptions

(6) The group of people affected by the handling of your data are: 

Customers of the client, Prospective customers, Employees of the client, Suppliers of the client, Subscribers

§ 3 Accountability and authority

(1) The contracting parties are accountable for compliance with the data protection provisions. The data controller may at any time demand the disclosure, correction, adjustment, deletion and restriction of the processing of the data. 

(2) In order to ensure the protection of the rights of the data subjects, the data processor shall provide the data controller with appropriate support, in particular by ensuring that appropriate technical and organizational measures are in place. 

(3) If a data subject contacts the data processor directly to assert a data subject right, the data processor shall forward this request to the data controller without delay. 

(4) The data processor may only process data within the scope of the instructions of the data controller, unless the data processor is obliged to do so differently under European Union law or the law of the Member State to which the data processor is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the data processor shall inform the data controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest (Art. 28 (3) sentence 2 (a) GDPR). An instruction is a written, electronic or oral order from the data controller that is directed at a specific way in which the data processor handles data. The instructions must be documented. The instructions are initially defined by the service agreement and can then be changed, supplemented or replaced by the data controller in documented form by means of an individual instruction. 

(5) The data processor shall inform the data controller without delay if it is of the opinion that an instruction violates data protection regulations. The data processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the data controller. 

If the data controller demands that an instruction be carried out even though the data processor has informed the data controller that, in the data processor's opinion, this instruction violates data protection regulations, the data controller alone shall bear the legal consequences resulting from this. 

(6) Changes to the subject matter of the processing with procedural changes must be jointly agreed and documented. The data processor may only provide information to third parties or the data subject with the prior express consent of the data controller in text form. The data processor shall not use the data for any other purposes and, in particular, shall not be entitled to pass them on to third parties. Copies and duplicates shall not be made without the knowledge of the data controller (except for backups).

(7) The data controller maintains the record of processing activities within the meaning of Art. 30 (1) GDPR. The data processor provides the data controller with information for inclusion in the record at the request of the data controller. The data processor maintains a record of all categories of processing activities carried out on behalf of the data controller in accordance with the requirements of Art. 30 (2) GDPR.

(8) The processing of data on behalf of the data controller shall take place exclusively within the territory of the European Union. Processing in a state outside the territory referred to in the first sentence shall only be permitted if it is ensured that, taking into account the requirements of Chapter V of the GDPR, the level of protection guaranteed by the GDPR is not undermined and requires the prior express written consent of the data controller. The basic conditions for the lawfulness of processing shall remain unaffected.

(9) The data processor shall ensure that natural persons acting under its authority who have access to data only process them on instructions from the data controller. If data are processed outside the data processor's premises (e.g. teleworking, home office, mobile working), the data processor shall ensure that appropriate technical and organizational measures are defined and adhered to for the respective processing situation. 

§ 4 Compliance with mandatory legal obligations by the data processor

(1) The data processor shall ensure that the persons authorized to process the data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality and shall prove this to the data controller upon request. This also includes instruction on the instruction and purpose limitation existing in this order processing relationship. 

(2) The contracting parties shall mutually support each other in providing evidence and documentation of their accountability with regard to the principles of proper data processing, including the implementation of the necessary technical and organizational measures (Art. 5 (2), Art. 24 (1) GDPR). The data processor shall provide the data controller with the relevant information as required.

(3) If required by law, the data processor shall appoint a data protection officer who shall perform his/her duties in accordance with the law. In this case, the data controller shall be informed of the contact details of the data protection officer upon request so that he/she can be contacted directly. 

(4) The data processor shall inform the data controller without undue delay of any inspections and measures by the supervisory authorities or if a supervisory authority, within the scope of its accountability, makes inquiries of, investigates or otherwise collects information from the data processor.

§ 5 Technical and organizational measures and their control

(1) The contracting parties agree on the specific technical and organizational security measures set forth in Appendix 1 “Technical and Organizational Measures” to this agreement. The appendix is an integral part of this agreement.

(2) Technical and organizational measures are subject to technical progress. In this respect, the data processor is permitted to implement adequate alternative measures. In doing so, the level of security of the measures specified in Appendix 1 “Technical and Organizational Measures” must not be compromised. Significant changes must be documented. 

(3) The data processor shall provide the data controller with all the information necessary to demonstrate compliance with the provisions of this agreement and the statutory requirements. In particular, the data processor shall enable and support any reviews/inspections carried out by the data controller or another auditor appointed by the data controller. Proof 

by providing a current certificate, reports from sufficiently qualified and independent bodies (e.g. auditors, independent data protection auditors), by complying with approved codes of conduct in accordance with Art. 40 GDPR, by a certification in accordance with Art. 42 GDPR or by a suitable certification through an IT security or data protection audit (e.g. according to BSI basic protection). 

The data processor undertakes to inform the data controller without delay of the exclusion of approved codes of conduct in accordance with Art. 41 (4) GDPR, the revocation of certification in accordance with Art. 42 (7) and any other form of cancellation or significant change to the aforementioned evidence.

(4) The data controller, in consultation with the data processor, may at any time, for inspection purposes, visit the data processor's premises during normal business hours, without disrupting operations, to verify the adequacy of the measures taken to comply with legal requirements or the technical and organizational requirements necessary for the performance of this contract. 

(5) The data processor shall also provide the data controller with all the information necessary for the audits referred to in paragraph 4 and for assessing the impact of the proposed processing operations on the protection of the data (data protection impact assessment within the meaning of Article 35 GDPR). 

(6) The data processor shall, in consultation with the data controller, take all necessary measures to secure the data and ensure the security of the processing, in particular taking into account the state of the art, and to mitigate any possible adverse consequences for data subjects.

§ 6 Notification of violations by the data processor

The data processor shall immediately inform the data controller in the event of serious disruptions to its operations, in the event of suspected violations of this agreement or statutory privacy policies, in the event of violations of such provisions or other irregularities in the processing of the data controller's data. This applies in particular with regard to the reporting obligation under Art. 33 (2) GDPR and to the corresponding obligations of the data controller under Art. 33 and Art. 34 GDPR. The data processor warrants that it will provide the data controller with appropriate support in the event of a data controller obligation under Art. 33 and 34 GDPR. The data processor may only carry out reports for the data controller in accordance with Art. 33 or 34 GDPR after prior instruction in accordance with § 3 of this contract. 

§ 7 Deletion and return of data

(1) Any data carriers and data sets provided remain the property of the data controller. 

(2) After completion of the contractually agreed services or earlier at the request of the data controller, but no later than upon termination of the service agreement, the data processor shall hand over to the data controller or, with the prior consent of the data controller, destroy in a data protection-compliant manner all documents in its possession, processing and usage results and data stocks (including copies or reproductions made thereof) that are related to the contractual relationship. The same applies to test and scrap material. A deletion protocol is to be submitted to the data controller upon request. 

(3) The data processor may store documentation that serves as proof of proper and contractually compliant data processing in accordance with the respective retention periods until the end of such periods, even beyond the end of the contract. Alternatively, the data processor may hand it over to the data controller at the end of the contract for the purpose of exoneration. The obligations under paragraph 2 shall apply to the data stored in accordance with sentence 1 after the end of the retention period.

§ 8 Subprocessors

(1) The Data Processor may only use Sub-Processors with the prior express written consent of the Data Controller. The Sub-Processors involved in the performance of this Agreement are listed in Appendix 2: “Approved Sub-Processing Relationships”. The Data Controller consents to their engagement. Insofar as a general approval in written or text form is involved, the Data Processor shall inform the Data Controller without undue delay of any intended change regarding the involvement or replacement of Sub-Processors. The Data Controller may object to such changes. Services that the data processor uses from third parties as an ancillary service to support the execution of the order, for example telecommunications services, are not considered to be sub-processor services within the meaning of this provision. However, the data processor is obliged to ensure the protection and security of the data controller's data, even in the case of outsourced ancillary services, by means of appropriate and legally compliant contractual agreements and control measures.

(2) If Sub-Processors are engaged by the Data Processor, the Data Processor shall ensure that its contractual agreements with the Sub-Processors are designed in such a way that the level of data protection corresponds at least to the agreement between the Data Controller and the Data Processor and that all contractual and legal requirements are observed; this applies in particular with regard to the use of appropriate technical and organizational measures to ensure an adequate level of security of the processing. 

(3) The data controller shall be granted control and inspection rights in the contractual agreement with the sub-processor in accordance with this agreement. Likewise, the data controller shall be entitled, upon written request, to obtain from the data processor information about the content of the contract concluded with the sub-processor and the implementation of the sub-processor's data protection obligations contained therein.

(4) If Sub-Processors fail to comply with their data protection obligations, the Data Processor shall be liable to the Data Controller for compliance with the Sub-Processor's obligations. In this case, the Data Processor shall, at the request of the Data Controller, terminate the employment of the Sub-Processor in whole or in part or dissolve the contractual relationship with the Sub-Processor if and to the extent that this is not disproportionate.

§ 9 Data protection control

The data processor undertakes to grant the data protection officer of the data controller (if appointed) and the competent supervisor authority access at all times during normal business hours in order to carry out their respective statutory duties in connection with this contract. In addition to the legal data protection supervision to which it is subject, the data processor shall submit to the control of the data protection supervision to which the data controller is subject and to the control of the data protection officer(s) of the data controller (if appointed), with the exception of areas that have no connection to the fulfillment of the order. In particular, he shall tolerate the aforementioned's rights of access, inspection and questioning, including the inspection of documents protected by professional confidentiality. He shall instruct his employees to cooperate with the aforementioned, in particular to answer their questions truthfully and in full. The aforementioned's existing legal obligations of confidentiality and rights to refuse to give evidence shall remain unaffected.

§ 10 Confidentiality

(1) The contracting parties are obliged to treat as confidential the information made available to them by the other party under this contract, as well as knowledge that they acquire about matters – such as technical, commercial or organizational matters – of the other contracting party during this cooperation, and not to exploit or use this information for purposes other than the implementation of this agreement or to make it available to third parties during the term and after The use of this information is restricted solely to the use for the execution of this agreement.

(2) This confidentiality obligation does not apply to information that

was already generally known at the time of the conclusion of the contract or

subsequently became generally known without breach of the obligations contained in this agreement or

is the subject of investigations by public authorities or courts and is to be surrendered in the course of these investigations on the basis of an order or a decision.

§ 11 Liability

The statutory provisions shall apply for liability due to violations of the privacy policy or this data protection agreement, unless a different liability agreement has been made in the contractual documents applicable to the contractual services.

§ 12 Final provisions

(1) Amendments and supplements to this appendix and all its components – including any warranties of the data processor – must be agreed in writing and must explicitly state that they are an amendment or supplement to these terms. This also applies to any waiver of this formal requirement.

(2) Should individual provisions of this agreement be invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision whose effects come as close as possible to the objective pursued by the contracting parties with the invalid or unenforceable provision. The above provisions shall apply mutatis mutandis in the event that the agreement proves to be incomplete.

Appendix 1 “Technical and organizational measures”

pursuant to Art. 32 GDPR

Section 5 of the data processing agreement refers to this appendix for a more detailed description of the technical and organizational measures.

Specific description of the technical and organizational measures taken by the data processor, taking into account the nature, scope, context and purposes of processing as well as the different likelihood and severity of the risk to the rights and freedoms of data subjects:

Basic technical and organizational measures in the context of using the cloud provider to provide the services offered are provided directly by the respective service provider. 

1. Confidentiality (Art. 32 (1) (b) GDPR)

1.1 Physical access controlUnauthorized access is to be prevented, whereby the term is to be understood spatially.

Access control system using keys, ID readers, magnetic cards, chip cards

Keys are issued and managed according to a defined process

Access authorization only for authorized persons

Door security (security locks, electric door openers, etc.)

Rooms are locked after work hours

Visitors are logged

Guests are always accompanied within the company premises

Guests must register (visitor book)

Compulsory wearing of ID badges

Access control by security staff, gatekeepers

Careful selection of security and cleaning staff

Video surveillance

Alarm system for entrances and windows

Motion sensors

Server in lockable server cabinets

1.2 Access control to IT systems

Unauthorized access to IT systems must be prevented

Servers can only be used after an individual login

Clients can only be used after an individual login

Login with password procedure (including special characters, minimum length, regular password changes)

Failed login attempts are logged

Instruction to lock the IT system when leaving the workplace

Automatic blocking during breaks and incorrect logins (e.g., password or break switching)

Set up a user master record for each user

Automated standard routines for regularly updating protective software

Encrypt data storage media

Block external interfaces (USB, etc.)

Mobile IT systems are encrypted

Mobile data storage media are encrypted

Use centralized smartphone administration software (e.g., to remotely delete data)

1.3 Data access control

Unauthorized activities in IT systems outside of granted authorizations are to be prevented

There is a written authorization concept with differentiated authorizations (profiles, roles, transactions, and objects)

A procedure for granting and periodically reviewing authorizations has been defined

Authorizations are set up exclusively by administrators

The number of administrators has been reduced

1.4 Separation control

Data collected for different purposes must also be processed separately

Internal multi-client capability (e.g., data from different clients is logically/physically separated)

Segregation of duties (production/test)

Roles and responsibilities are clearly defined

1.5 Pseudonymization (Art. 32 (1) (a) GDPR; Art. 25 (1) GDPR)

A personal reference is only possible if additional information can be consulted

Personal data is, as far as possible, only stored under a pseudonym

The additional information that can establish a personal reference is kept under lock and key

Integrity (Art. 32 (1) (b) GDPR)

2.1 Transfer control

Aspects of the transfer of personal data must be regulated: electronic transmission, data transport, transmission control, etc.

Employees working on customer projects are instructed on the permissible use and transfer of data

Encrypted lines

External access only via encrypted VPN tunnel connection

Electronic signature

Logging of data transfers

Securing of data carrier transports (lockable transport containers), also for paper

Careful selection of transport personnel and vehicles

Sending password-protected files by e-mail

Sending data only in anonymized or pseudonymized form

E-mail encryption

2.2 Input control

The traceability and documentation of data management and maintenance must be ensured

Logging and log evaluation systems (who has entered, changed, deleted what?)

Traceability of data entry, modification, and deletion by individual user names (not user groups)

Employees are obliged to work only under their own user accounts

Control data is stored

Only authorized persons are allowed to access the logs

Availability and resilience (Art. 32 (1) (b) GDPR)

3.1 Availability control

The data must be protected against accidental destruction or loss

Procedures for regularly backing up data

Separate and disaster-proof storage of backups

Backups are encrypted

Restoring backups is tested regularly

Mirroring hard disks, e.g., RAID procedure

Use of uninterruptible power supply (UPS)

Server room is air-conditioned

Use of protective programs (virus scanners, firewalls, encryption programs, spam filters)

IT systems are regularly updated with security updates

Fire and smoke alarm systems are available

Fireproof doors to the server room

Emergency plan is available

Procedures for regular review, assessment, and evaluation (Art. 32 (1) (d) GDPR; Art. 2)

4.1 Data protection management

A data protection management system (DSMS) is implemented

A data protection manual/guideline is available for employees

A data protection officer is appointed

Regular monitoring by the data protection officer

Employees are trained in data protection

Employees are obliged to handle personal data confidentially

Guidelines for dealing with data breaches are available for employees

Internal guidelines are regularly evaluated and adapted in terms of their effectiveness

A record of processing activities within the meaning of Art. 30 GDPR is kept

Process-independent plausibility and security

4.2 Incident-Response-Management

Guidelines in place for what is considered a data breach

Guidelines in place for how to deal with data breaches

Contingency plan in place

4.3 Data protection-friendly default settings (Art. 25 (2) GDPR)

Rights and roles based on the “need to know” principle

External resources are avoided as far as possible

4.4 Order control

Clear contract design

Formalized order placement (order form)

Criteria for selecting the contractor

Control of contract execution

Sub-processors are commissioned in writing

Appendix 2 “Approved subprocessing relationships”

subcontractor: HighLevel Inc

Address / Country:
400 North Saint Paul St., Suite 920Dallas, Texas 75201USA

Data processing: Hosting and operation of the GoHighLevel CRM software