AK DIGITAL LLC PLATFORM-AS-A-SERVICE (PAAS) SCHEDULE DATA PROCESSING AGREEMENT PURSUANT TO ART. 28 GDPR
1. BACKGROUND
1.1 AK Digital LLC provides services to its clients (data controllers) that may involve processing of personal data and engages sub-processors to perform specific services that may include access to or processing of such data.
2. DEFINITIONS
2.1 Data Processing and its correlative terms mean any operation or set of operations performed on personal data, or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.2 Personal Data or Personal Information means all data that is processed by the parties in connection with the Services and (i) identifies or can be used to identify, contact, or locate a natural person, (ii) pertains in any way to an identified natural person, or (iii) falls within any definition of “personal data” or “personal information” under any applicable privacy law.
2.3 Data subject refers to the person whose data is processed.
2.4 Data Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.5 Data Processor means the entity that processes personal data on behalf of the controller.
2.6 Sub-Processor means any third party appointed by or on behalf of the Processor to process personal data.
2.7 Security Incident means a confirmed or reasonably suspected unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
2.8 GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation).
3. SCOPE OF THIS SCHEDULED DPA
AK Digital LLC renders the Platform Services to the Client and its Users, which requires the collection and processing of Client Data. This Schedule Data Processing Agreement (hereinafter “DPA”) specifies the obligations of Client (as data controller) and AK Digital LLC (as data processor) under data protection law resulting from any processing of Client Data, which arises from the provision, operation, and use of the Platform Services in accordance with the Contract.
4. SUBJECT MATTER AND DURATION OF PROCESSING
4.1 AK Digital LLC will process Client Data on behalf of Client, who acts as data controller (Art. 4 no. 7 GDPR) and determines the purposes of the respective processing.
4.2 The subject matter of processing Client Data is the provision and operation of the Platform Services to Client and its Users, as specified in this Schedule DPA and the Contract. The term of this Schedule DPA is subject to the term of the Contract. If the Contract is terminated, this Schedule DPA shall end.
4.3 The scope, type, and purpose of processing Client Data is to (a) provide; (b) operate; and (c) enable Client and its Users to use the Platform Services as set out in the Contract. The types of Client Data and the categories of data subjects affected are set out in Annex 1.
4.4 Some processing of Client Data takes place in a member state of the European Union (EU) or another member state to the agreement on the European Economic Area (EEA). Transfer to and processing of Client Data in a country, which is not a member state of the EU or another member state of the EEA, is approved as to the sub-processors disclosed herein and shall only occur if the specific safeguards of Article 44 et seq. GDPR have been fulfilled in order to ensure an adequate level of data protection. AK Digital LLC establishes such a level of adequate data protection through the conclusion of EU Standard Contractual Clauses (Art. 46 para. 2 lit. c and d in conjunction with Art. 47 GDPR).
5. CLIENTS' RESPONSIBILITIES AND GUARANTEES
5.1 As data controller (Art. 4 no. 7 GDPR), Client has sole responsibility over the legitimacy of the processing of Client Data.
5.2 Client guarantees AK Digital LLC that it has:
(a) collected and processed Client Data in a legal, loyal, and transparent manner, for given, explicit, and legitimate purposes, and has duly informed data subjects affected in accordance with Art. 12 et seq. GDPR;
(b) respected its obligations (if applicable) to make a prior declaration about the processing of Client Data with the competent supervisory authority;
(c) checked before the use of the Platform Services that processing Client Data in the framework of the Platform Services complies with the purpose and means of Client Data submitted and made available by Client and its Users into the Platform Services.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
6.1 AK Digital LLC shall implement all technical and organizational measures required by law to ensure a level of security appropriate to the risk of processing Client Data, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing Client Data as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects.
6.2 AK Digital LLC shall document and provide to Client for verification, particularly regarding the specific fulfillment of this Schedule DPA, the implementation scheme for the technical and organizational measures, which are set out in Annex 2.
6.3 The technical and organizational measures are subject to technical progress and further development. AK Digital LLC shall therefore be entitled to implement alternative adequate measures without falling short of the security level and effectiveness of the measures originally defined.
7. RECTIFICATION, RESTRICTION, AND ERASURE OF CLIENT DATA; DATA SUBJECT RIGHTS
7.1 To the extent possible within the functionalities of the Platform Services, Client itself shall rectify, erase, or restrict Client Data. Outside of the scope of the aforementioned functionalities, AK Digital LLC shall rectify, erase, or restrict (e.g., by way of blocking) Client Data upon legitimate instruction by Client.
7.2 The Parties have a common understanding that Client shall handle requests of data subjects. In case a data subject directly addresses AK Digital LLC, requesting the rectification or erasure of personal data or a restriction of processing or asserting other statutory rights of data subjects, AK Digital LLC shall forward such data subject request or assertion to Client without undue delay.
7.3 AK Digital LLC shall support Client within a reasonable extent in the fulfillment of Client's duties vis-à-vis data subjects, in particular, regarding their right of access, right to rectification, right to erasure, right to restriction of processing, the notification obligation regarding rectification or erasure, the right to data portability, as well as the right to object.
8. AUDITS AND OTHER DUTIES OF AK DIGITAL LLC
8.1 AK Digital LLC shall process the Client Data solely in accordance with the Contract, this Schedule DPA, and the legitimate instructions of the Client in order to render the Platform Services.
8.2 AK Digital LLC shall assist the Client to a necessary and reasonable extent in ensuring compliance with statutory obligations, notably in the performance of data protection impact assessments and with any necessary prior consultations of the competent supervisory authority.
8.3 AK Digital LLC shall provide Client with the contact details of its data protection officer. Such contact details are also published under the URL https://runmyprocess.com/imprint/
8.4 AK Digital LLC is obliged to ensure that its employees and vicarious agents, etc., who are able to access Client Data, undertake to comply with statutory data secrecy requirements and appropriate confidentiality obligations. Furthermore, AK Digital LLC's employees and vicarious agents, etc., shall be informed that the confidentiality subject to this Section 8.4 also continues after the termination of the activity.
8.5 AK Digital LLC shall immediately inform Client of any measures and inspections by any supervisory authority regarding the processing of Client Data. The same shall apply in case of any investigations by a competent supervisory authority in the framework of administrative offenses or criminal proceedings.
8.6 AK Digital LLC shall provide to Client, to a reasonable extent, all necessary information for creating a record of processing activities of Client Data. AK Digital LLC shall maintain a separate record of processing activities, possibly in electronic form, in line with statutory requirements.
8.7 AK Digital LLC shall carry out checks on the processing of Client Data relating to its area of responsibility as data processor to ensure compliance with this Schedule DPA.
8.8 AK Digital LLC shall make available to Client all information necessary to demonstrate compliance with applicable data protection law and shall allow for and contribute to audits, including inspections conducted by Client or another auditor mandated by Client, only about the processing of Client Data under the scope of this Schedule DPA.
9. AUDIT RIGHTS
9.1 Client shall be entitled to verify compliance with (a) the obligations under applicable data protection law; and (b) this Schedule DPA, especially with the technical and organizational measures and legitimate instructions issued by Client.
9.2 For this purpose, Client shall have the right throughout the term of this Schedule DPA, in consultation with AK Digital LLC or through auditors to be designated in the individual case, who are suitable and obliged to confidentiality, to have appropriate inspections conducted at AK Digital LLC's business establishment, where processing of Client Data takes place.
9.3 AK Digital LLC undertakes, at the Client's request, to provide to the Client all relevant and necessary information and evidence to comply with applicable data protection law. AK Digital LLC may also present current attestations, reports, or report extracts by independent third persons or a suitable certification by IT security or data protection auditors.
10. SUB-PROCESSORS
10.1 The sub-processors approved by Client upon conclusion of the Contract are set out in Annex 1.
10.2 Client acknowledges and approves that AK Digital LLC may at any time change the Platform, provided that the new Platform satisfies the conditions outlined in this DPA and does not amend the fees for the Platform Services.
10.3 Other sub-processors may only be engaged if:
(a) AK Digital LLC submits the engagement in written or text form with reasonable advance notice and Client does not object for justified reasons.
(b) AK Digital LLC executes agreements with the sub-processors containing comparable data protection provisions and guarantees the implementation of suitable technical and organizational measures.
(c) Processing by sub-processors takes place in a member state of the EU or another member state to the agreement on the EEA or meets the safeguards of Art. 44 et seq. GDPR.
10.4 AK Digital LLC shall remain liable to Client for the performance of the engaged sub-processor's obligations.
11. REPORT OF BREACHES ON THE PART OF AK DIGITAL LLC
11.1 AK Digital LLC shall design the processing of Client Data, operational procedures, and associated processes such that AK Digital LLC can detect and recognize any data protection violations and can report them.
11.2 AK Digital LLC shall notify Client without undue delay if a security breach leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data.
11.3 AK Digital LLC is aware that Client is obliged to notify certain breaches no later than seventy-two (72) hours after becoming aware of them and shall support Client in the fulfillment of these notification obligations.
11.4 AK Digital LLC shall document any personal data breaches affecting Client Data and take appropriate measures, in consultation with Client, to safeguard Client Data and to mitigate any adverse consequences for data subjects.
12. CLIENT’S AUTHORITY TO ISSUE INSTRUCTIONS
12.1 Processing of Client Data shall be governed exclusively by (a) this Schedule DPA; (b) instructions that are possible within the functionalities of the Platform Services; and (c) any other reasonable and justified instructions by Client, which shall be documented in written or in text form in each case.
12.2 Client shall immediately confirm any oral instructions in written or text form.
12.3 AK Digital LLC shall not use Client Data for any other purposes than the purposes laid out in this Schedule DPA and the Contract and shall not make copies without Client's knowledge except for backups required to ensure proper processing.
12.4 AK Digital LLC shall immediately inform Client if, in AK Digital LLC's view, an instruction infringes applicable data protection law and shall be entitled to suspend execution until it is confirmed or changed by Client.
13. DELETION OF CLIENT DATA AND RETURN OF DATA CARRIERS
13.1 The deletion concept is set out in Annex 1.
13.2 After the end of processing or at any earlier date required by Client, AK Digital LLC shall erase all Client Data unless statutory duties of retention exist, which shall be documented and communicated to Client.
ANNEX 1 TO SCHEDULE DPA
TYPES OF CLIENT DATA, AFFECTED DATA SUBJECTS, DELETION OBLIGATIONS, AND SUB-PROCESSORS
1. TYPES OF CLIENT DATA
(a) Master data of Users (e.g., name and email address)
(b) Transaction metadata of Users (e.g., User accounts, login IP addresses)
(c) Client Application data (e.g., User metadata)
(d) Client Data provided by Client and processed by the Client Application
2. AFFECTED DATA SUBJECTS
Affected data subjects are Users, i.e., Client's employees, its service providers (including personnel), and its customers (including personnel).
3. DELETION OBLIGATIONS
All Client Data, Client Content, and Client Applications stored in the Platform Services are deleted after the termination of the Contract and the reversibility period, unless statutory retention obligations apply. In case of such statutory retention periods, AK Digital LLC will delete the respective Client Data at the end of the applicable period.
4. SUB-PROCESSORS (PRIMARY SERVICES)
| Sub-processor | Location (Invoicing / Contracts) | Location (Data Storage / Processed) | Function | Further information |
|---|---|---|---|---|
| Amazon Web Services, Inc. | United States | US, EU, JP, AU (based on client requirements) | Hosting the platform | https://aws.amazon.com |
| Coralogix Ltd. | Israel | Singapore | Hosting the platform services log files | Coralogix GDPR information |
Sub-processors who are involved in the processing of Client Data within the framework of the basic customer support services of the Platform Services are listed below:
| Sub-processor | Country | Function | Further information |
|---|---|---|---|
| ZOHO CORPORATION B.V | Netherlands | Hosting customer support ticketing system | https://www.zoho.com/gdpr.html |
| Google LLC | United States | Hosting email servers for employees | https://cloud.google.com/privacy/gdpr |
| Hyverr S.R.O | Czech Republic | 2nd-level customer support for the Platform Services | Hyverr GDPR information |
| PurpleTalk Inc | India | 3rd-level customer support for the Platform Services | https://purpletalk.com/ |
ANNEX 2 TO SCHEDULE DPA
TECHNICAL AND ORGANIZATIONAL MEASURES
1. AK Digital LLC shall implement such technical and organizational security measures for the processing of any Client Data as provided in the Agreement and shall, upon written request, provide evidence of the implementation of such measures.
2. AK Digital LLC must maintain at least the following technical and organizational security measures, if and to the extent it is responsible for them in relation to the Platform Services:
2.1 Equipment Access Control: AK Digital LLC shall deny unauthorized persons access to processing equipment used for processing. Exceptions may be granted for auditing purposes if supervised by AK Digital LLC and without access to Client Data itself.
AK Digital LLC shall in particular:
(a) specify authorized individuals;
(b) use an access control process to avoid unauthorized access to office rooms;
(c) restrict access to data centers or rooms where servers are located; and
(d) accompany personnel without access authorization at all times.
2.2 Data Media Control: AK Digital LLC shall prevent the unauthorized reading, copying, modification, or removal of data media.
(a) Store data media in secured areas.
(b) Establish rules for the safe destruction of data media no longer required.
(c) Grant personnel minimal permissions to access data media as needed (“need to know”).
2.3 Storage Control: AK Digital LLC shall prevent the unauthorized input, inspection, modification, or deletion of Client Data.
(a) Restrict access to files and programs on a need-to-know basis.
(b) Store data carriers in secured areas.
(c) Establish rules for permanent destruction of data no longer required.
(d) Provide minimal permissions necessary to access data.
2.4 User Control: AK Digital LLC shall prevent the use of automated processing systems by unauthorized persons using data communication equipment.
(a) Protect systems with firewalls and intrusion detection systems.
(b) Log remote access to systems processing Client Data.
(c) Support remote access control with authentication.
(d) Provide remote access only to those who require it.
(e) Deactivate remote access accounts when a user leaves.
2.5 Data Access Control: AK Digital LLC shall ensure that authorized persons have access only to the personal data covered by their access authorization.
(a) Ensure all computers processing Client Data are password protected and locked when idle.
(b) Provide dedicated user IDs for authentication.
(c) Assign individual user passwords.
(d) Support access control with authentication systems, including remote access.
(e) Provide access strictly on a need-to-know basis.
(f) Implement a password policy prohibiting password sharing.
(g) Use password-protected screensavers after 10–15 minutes of inactivity.
(h) Store passwords in encrypted form.
(i) Deactivate user accounts when a user leaves.
(j) Adjust administrator permissions when roles change.
2.6 Communication Control: AK Digital LLC shall maintain adequate records to verify and establish the bodies to which processed Client Data has been transmitted or made available.
2.7 Input Control: AK Digital LLC shall ensure it is possible to verify and establish which personal data has been input, when, and by whom.
(a) Log administrator and user activities.
(b) Permit only authorized personnel to enter or modify Client Data.
2.8 Transport Control: AK Digital LLC shall prevent unauthorized reading, copying, modification, or deletion of personal data during transfers or transportation.
(a) Encrypt data during transmission.
(b) Transport data carriers in sealed containers.
(c) Maintain shipping and delivery notes.
2.9 Recovery: AK Digital LLC shall ensure that installed systems may be restored in the case of interruption.
(a) Create backup copies stored in protected environments.
(b) Perform regular restore tests.
(c) Create contingency and business recovery plans.
(d) Avoid removing Client Data from business computers or premises.
(e) Avoid using private equipment for Platform Services.
(f) Run up-to-date antivirus solutions.
2.10 Reliability: AK Digital LLC shall ensure system functions perform reliably and faults are reported.
2.11 Integrity: AK Digital LLC shall ensure stored Client Data cannot be corrupted by system malfunction.
2.12 Contractual Control: Client Data processed on commission shall be processed solely in accordance with the Contract and Client instructions.
2.13 Availability Control: Client Data shall be protected against disclosure, accidental or unauthorized destruction, or loss.
(a) Maintain backups in protected environments.
(b) Perform regular restore tests.
(c) Keep contingency or business recovery strategies.
(d) Process Client Data only for contracted purposes.
(e) Keep Client Data on AK Digital LLC business equipment unless otherwise authorized.
(f) Avoid using private equipment for the Platform Services.
(g) Maintain a “clean desk” practice.
(h) Implement disposal processes for documents or data carriers with personal data.
(i) Maintain network-level firewalls.
(j) Run up-to-date antivirus solutions.
2.14 Separation: AK Digital LLC shall ensure that Client Data collected for different purposes can be processed separately, based on Client instructions and information.