INPOSIA Solutions GmbH Services Data Processing Agreement

Last updated August 23, 2022

This DPA is incorporated into the Contract between INPOSIA Solutions GmbH (“Inposia” or “us” or “our”) and Customer. If a provision of this INPOSIA Solutions GmbH Services Data Processing Agreement (“DPA”) conflicts with a provision of the Contract, the provision in this DPA governs. Capitalised terms used and not otherwise defined in this DPA have the meanings provided in the Contract.

  1. Except as amended by this DPA, the Contract will remain in full force and effect.
  2. To the extent that the terms of this DPA and the Contract conflict, the terms of this DPA prevail.
  3. This DPA will automatically expire on the termination or expiration of the Contract.

Inposia serves enterprises, public sector entities and other organisations (“Customer”) and protects Services Data in compliance with the terms of this DPA. Services Data means personal data relating to named or identifiable individuals that Customer’s authorised users (“Authorised Users”) provide in compliance with applicable law and our applicable service agreements or other commercial contract terms (“Contract”) when Customer uses our service offerings and related data processing services as described in our data sheets, service specifications, and other technical documentation, as amended from time to time (“Services”).

  1. Control and Ownership. Customer owns and controls all Services Data. Inposia does not use Services Data, except: (a) in the interest and on behalf of Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Inposia returns or deletes Services Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated, subject to applicable law.

  2. Security. Inposia applies technical, administrative and organisational data security measures that meet or exceed the requirements described in Exhibit 1 (“Security”). Inposia may update and modify Exhibit 1 from time to time, provided that Inposia must not reduce the level of security provided thereunder, except with Customer’s consent or with 90 days prior written notice.

  3. Cooperation with Compliance Obligations. At Customer’s reasonable request, Inposia will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Inposia, and (b) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Services Data and that, due to their nature, can only be satisfied by Inposia in its role as service provider or that Customer specifically explains and assigns to Inposia in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. If Customer can no longer legally use Inposia’s products due to changes in law or technology, Inposia shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.

  4. Submit to Audits. Inposia submits to reasonable data security and privacy compliance audits subject to reasonable precautions and safeguards for the data of other customers.

  5. Notify Breaches. Inposia notifies Customer of unauthorised access to Services Data and other security breaches as required by applicable law.

  6. No Information Selling or Sharing for Cross‐Context Behavioral Advertising. Inposia does not accept or disclose any Services Data as consideration for any payments, services, or other items of value. Inposia does not sell or share any Services Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act (“CCPA”). Inposia processes Services Data only for the business purposes specified in the written Contract. Inposia does not retain, use, or disclose Services Data (a) for cross‐context behavioral advertising, or (b) outside the direct business relationship with Customer. Inposia does not combine Services Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA.

  7. Personal Data subject to the GDPR or similar laws: With respect to any Services Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "personal data," Inposia accepts the following obligations as a data importer, processor or sub-processor of Customer and warrants that Inposia:

    (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;

    (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);

    (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

    (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects)

    (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;

    (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

    (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

  8. Integration. This DPA is binding after a Contract has been signed between Inposia and Customer, and Customer may collect a signed copy of this DPA at here or https://avalara.na1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhD2n3lJx_SJQBninpm6gIWv7Qv-SWCFMPtqYvBVkhOEyU8TPFZQG8djHD8vHqxQcVM*. This DPA shall not create third party beneficiary rights. Inposia does not accept or submit to additional requirements relating to Services Data, except as specifically and expressly agreed in writing with explicit reference to the Contract and this DPA.

  9. Notice. Avalara shall provide Customer with legal notices in writing by email, mail, or courier to the address provided by Customer. Except as otherwise specified in the Agreement, all notices to Avalara must be in writing and sent as follows:

Email: DataProtection@inposia.com

Attn: Legal Department

INPOSIA Solutions GmbH

Ottostraße 18, D-76227

Karlsruhe


EXHIBIT 1:

SECURITY

A.    Integrity

1. Data Transfer Control

  • Installation of dedicated lines or VPN tunnels

2. Data Entry Control

  • Logging of input, amendment and deletion of data
  • Transparency of input, amendment and deletion of data by individual user names (not user groups)
  • Assignment of rights of input, amendment and deletion of data on the basis of an authorisation concept

B. Confidentiality

1. Physical Access Control (Data Center): No unauthorised access to Data Processing Facilities

  • Alarm system
  • Protection of building shafts
  • Chip card/transponder lock system
  • Automatic access control system
  • Biometric entrance barriers
  • Light barriers/motion detectors
  • Key provision (issue of keys etc.)
  • Visitors’ log
  • Diligent selection of security staff
  • Video surveillance of entries
  • Safety locks
  • Diligent selection of cleaning staff
  • Identity check with gatekeeper/reception
  • Duty to wear authorisation passes

2. Physical Access Control (Processor): No unauthorised access to Data Processing Facilities

  • Manual lock system
  • Key provision (issue of keys)
  • Safety locks
  • Diligent selection of cleaning staff

3. Electronic Access Control

  • Assignment of user rights
  • Password allocation
  • Creation of user profiles
  • Authentication by means of username / password
  • Safety locks
  • Key provision (issue of keys)
  • Assignment of user profiles to IT systems
  • Deployment of VPN technology
  • Diligent selection of cleaning staff
  • Encryption of data carriers in laptops / notebooks
  • Encryption of mobile data carriers
  • Use of intrusion/detection systems
  • Use of anti-virus software
  • Use of a hardware firewall

4. Internal Access Control: (permissions for user rights of access to and amendment of data); No unauthorised reading, copying, changes or deletions of data within the system

  • Creation of an authorisation concept
  • Number of administrators reduced to a minimum
  • Logging of data access to applications, in particular for input, amendment and deletion of data
  • Use of document shredders or service providers (if possible with data protection seal of quality)
  • Encryption of data carriers
  • Administration of the rights by system administrator
  • Password guideline including length of password, change of password
  • Proper destruction of data carriers (DIN 66399)
  • Logging of destruction

5. Isolation Control

  • Creation of an authorisation receipt
  • Logical separation of clients
  • Determination of database rights
  • Separation of productive and test system

6. Availability and Resilience

  • Uninterruptible power supply (UPS)
  • Equipment for the monitoring of temperature and humidity in server rooms
  • Fire and smoke alarms
  • Alarm signal in case of unauthorised access to server rooms
  • Testing of data recovery
  • Storage of data backup at a safe, different place
  • Air-conditioning in server rooms
  • Security socket strips in server rooms
  • Fire extinguishers in server rooms
  • Creation of a backup and recovery concept
  • Creation of a contingency plan

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing:

  • Data protection management system
  • Data protection by design and default
  • Order or Contract Control: No third-party data processing as per Article 28 GDPR without corresponding instructions from the Controller, e.g.: clear and unambiguous contractual arrangements, formalised order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks