1.  Purposeand Scope

The parties specified in Appendix I("Parties") have agreed to this data processing agreement("DPA") in order to ensure compliance with Art 28(3) and (4) GDPR.

This DPA applies to the processing of personaldata as specified in Appendix II.

Appendices I to IV are an integral part of thisDPA.

2.  Interpretation

Where this DPA uses the terms defined in the GDPR, those terms shallhave the same meaning as in that regulation.

3.  Hierarchy

In the event of a contradiction between this DPA and the provisions ofrelated agreements between the Parties existing at the time when this DPA isagreed or entered into thereafter, this DPA shall prevail.

4.  Descriptionof Processing

The details of the processing operations, in particular the categoriesof personal data and the purposes of processing for which the personal data isprocessed on behalf of the controller, are specified in Appendix II.

5.  Obligationsof the Parties

5.1. Instructions

Theprocessor shall process personal data only on documented instructions from thecontroller, unless required to do so by Union or Member State law to which theprocessor is subject. In this case, the processor shall inform the controllerof that legal requirement before processing, unless the law prohibits this onimportant grounds of public interest. Subsequent instructions may also be givenby the controller throughout the duration of the processing of personal data.These instructions shall always be documented.

Theprocessor shall immediately inform the controller if, in the processor’sopinion, instructions given by the controller infringe the GDPR or theapplicable Union or Member State data protection provisions.

5.2. Anonymization

The controllerauthorizes the processor and the processor is therefore entitled to anonymisethe processed data and utilise the anonymised data for statistical evaluations.For this purpose, any personal reference to the data is removed and cannot berestored.

5.3. Purpose Limitation

The processor shall process the personal data only for the specificpurpose(s) of the processing, as set out in Appendix II, unless it receivesfurther instructions from the controller.

5.4. Duration of the Processing

Processing by the processor shall only take place for the durationspecified in Appendix II.

5.5. Security of Processing

Theprocessor shall at least implement the technical and organisational measuresspecified in Appendix III to ensure the security of the personal data. Thisincludes protecting the data against a breach of security leading to accidentalor unlawful destruction, loss, alteration, unauthorised disclosure or access tothe data ("Personal Data Breach"). In assessing the appropriate levelof security, the Parties shall take due account of the state of the art, thecosts of implementation, the nature, scope, context and purposes of processingand the risks involved for the data subjects.

Theprocessor shall grant access to the personal data undergoing processing tomembers of its personnel only to the extent strictly necessary forimplementing, managing and monitoring of the contract. The processor shallensure that persons authorised to process the personal data received havecommitted themselves to confidentiality or are under an appropriate statutoryobligation of confidentiality.

5.6. Documentation and Compliance

The Partiesshall be able to demonstrate compliance with this DPA.

Theprocessor shall deal promptly and adequately with inquiries from the controllerabout the processing of data in accordance with this DPA.

Theprocessor shall make available to the controller all information necessary todemonstrate compliance with the obligations that are set out in this DPA andstem directly from the GDPR. At the controller’s request, the processor shallalso permit and contribute to audits of the processing activities covered bythis DPA, at reasonable intervals or if there are indications ofnon-compliance. In deciding on a review or an audit, the controller may takeinto account relevant certifications held by the processor.

The Partiesshall make the information referred to in this DPA, including the results ofany audits, available to the competent supervisory authority/ies on request.

5.7. Use of Sub-Processors

Theprocessor has the controller’s general authorisation for the engagement ofsub-processors listed in Appendix IV. The processor shall specifically informin writing the controller of any intended changes of that list through theaddition or replacement of sub-processors at least 14 days in advance, therebygiving the controller sufficient time to be able to object to such changesprior to the engagement of the concerned sub-processor(s). The processor shallprovide the controller with the information necessary to enable the controllerto exercise the right to object.

Where theprocessor engages a sub-processor for carrying out specific processingactivities (on behalf of the controller), it shall do so by way of a contractwhich imposes on the sub-processor, in substance, the same data protectionobligations as the ones imposed on the data processor in accordance with thisDPA. The processor shall ensure that the sub-processor complies with theobligations to which the processor is subject pursuant to this DPA and to theGDPR.

Theprocessor shall remain fully responsible to the controller for the performanceof the sub-processor’s obligations in accordance with its contract with theprocessor. The processor shall notify the controller of any failure by thesub-processor to fulfil its contractual obligations.

5.8. International Transfers

Any transfer of data to a third country or an international organisationby the processor shall be done only on the basis of documented instructionsfrom the controller or in order to fulfill a specific requirement under Unionor Member State law to which the processor is subject and shall take place incompliance with Chapter V of the GDPR.

6.  Assistanceto the Controller

The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requeststo exercise their rights, taking into account the nature of the processing.

The processor shall furthermore assist thecontroller in ensuring compliance with the following obligations, taking intoaccount the nature of the data processing and the information available to theprocessor:

the obligation to carry out an assessment ofthe impact of the envisaged processing operations on the protection of personaldata ("Data Protection Impact Assessment") where a type of processingis likely to result in a high risk to the rights and freedoms of naturalpersons;

the obligation to consult the competentsupervisory authority/ies prior to processing where a Data Protection ImpactAssessment indicates that the processing would result in a high risk in theabsence of measures taken by the controller to mitigate the risk;

the obligations in Art 32 GDPR.

7.  Notificationof Personal Data Breach

In the event of a Personal Data Breach, the processor shall cooperatewith and assist the controller for the controller to comply with itsobligations under Art 33 and 34 GDPR, where applicable,taking into account the nature of processing and the information available tothe processor.

8.  Termination

Following termination of this DPA, the processor shall, at the choice ofthe controller, delete all personal data processed on behalf of the controllerand certify to the controller that it has done so, or, return all the personaldata to the controller and delete existing copies unless Union or Member Statelaw requires storage of the personal data. Until the data is deleted orreturned, the processor shall continue to ensure compliance with this DPA.

‍

9.     APPENDIX I: LIST OF PARTIES

‍

APPENDIX I: LIST OF PARTIES

Processor:

Kanbert Software GmbH, Getreidemarkt 1/10 1060 Vienna, Austria;

FN 553710f

Jürgen Kerner, Data Privacy Officer,  dataprivacy@kanbert.com

APPENDIX II: DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is processed:

Customer and its Employees, former employees, interested parties, contact persons of customers; suppliers and their contacts

Categories of personal data processed:

Name, CustomerID, contact details, employment application data,  working time recording, vacations, sick leave, function, Email addresses,  Login data, contact data, financial data; IP address; Time of visit.

Sensitive data processed:

sick leave data, maternity protection times

Nature of the processing:

Collection, recording, organisation, structuring, storage, adaptation  or alteration, retrieval, consultation, use, disclosure by transmission,  dissemination or otherwise making available, alignment or combination,  restriction, erasure or destruction of data

Purpose(s) for which the personal data is processed on behalf of thecontroller:

Provisioning of services as stipulated in the Agreement

Duration of the processing:

General corresponds to the term of the Agreement

APPENDIX III: TECHNICAL AND ORGANISATIONALMEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITYOF THE DATA

Description of the technical and organisational security measuresimplemented by the processor:

Physical Access Control (To prevent unauthorized persons  from having access to data, all data centers are secured by:

·        documented key administration

·        Biometricals

·        Alarms

Data Access Control (To prevent unauthorized persons  from accessing our data systems)

·        strong password policy

·        Firewalls

·        Logging of software incidents

·        Authorization process for employees

·        Revoking of access rights after expiry of  authorization

Data Transmission Control (To prevent personal data from  being read, copied, modified or removed without authorization during  transmission)

·        Using secure protocols (SSL, TLS)

·        Process for disposal of data storage devices

·        Using secure protocols for remote work (SSH,  VPN).

Input Control (To prevent unauthorized input,  modification or removal of data into our data processing)

·        Employees have access based on their roles

·        Authorizations are approved by authorized  individuals only

Availability Control (To prevent data from being lost)

·        Backups are in place

·        Recovery plans are in place and tested

·        All systems are monitored 24x7 to detect  errors.

APPENDIX IV – LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Purpose

Entity  Name

Entity  Type

Processing  Country

Cloud Infrastructure for the Product

Digimagical GmbH

Cloud Service Provider

Austria, Germany

Availabilty Monitoring

Immutable  VOF

OhDear

Cloud Service Provider

Europe

Performance Monitoring

Functional Software, Inc. d/b/a Sentry

Cloud Service Provider

Worldwide,

SCC Standard European Model Clauses  signed

Service Desk System

FrontApp  Ireland Limited, 21-23 City Quay, 4th Floor, Dublin 2, D02 FP21, Ireland

Cloud Service Provider

Worldwide,

SCC Standard European Model  Clauses signed

Payment Provider

Stripe Technology Europe, The One Building, 1, Lower Grand Canal  Street, Dublin 2, Ireland

Cloud Service Provider

Worldwide,

SCC Standard European Model Clauses signed