Agreement regarding data protection and data security in contractual relations according to § 11 of the German Data Protection Act (BSDG) – Translation *):
1. Object and duration of contract
Object matter and duration of contract (please refer to agreement).
Eleven will carry out agreed service exclusively within the framework of the agreement regarding object matter and duration of contract
2. Extent, form and purpose of intended data processing
The company’s declared objective is the development and operation of IT-security services as well as tools for monitoring and reduction of IT related expenditures of large enterprises, ISPs and integrators. The IT-security services and tools provided allow for the categorization of e-mails, reliably protect against spam, reduce costs and avoid risks in sensitive business areas.
The collection, storage, processing and use of personal data are carried out within the frameworks of contract data processing in accordance with § 11 of the German Data Protection Act (BDSG) in relation to service contracts. For purposes of contract fulfillment, required master data of clients necessary for fulfillment will be collected and stored. These include amongst others name, telephone number, and e-mail address as well as company address of contact persons.
Traffic data for data processing (mainly for detection and clearance of faults and billing purposes) will be stored for purposes of contract fulfillment. Furthermore, traffic data will be stored in an anonymous form for statistical purposes, which serve the client as an efficiency control measure of delivered service. The content of communication in terms of contract data processing will not be stored.
Eleven obliges to keep data collected for the purpose of legitimate contract fulfillment during the course or therefore the occasion of cooperation, including trade secrets or other data of this nature worthy of protection, confidential. The collection, processing and use of data as well as information on the type of data and the extent of parties affected will only be used for contractual purposes and kept confidential. Eleven must not pass on this information to a third-party.
3. Technical and organizational measures
Eleven will ensure that the hard- and software used to store and process client data is adequately protected from unauthorized use through safety and organizational measures according to § 9 of the German Data Protection Act (BDSG). Eleven commits to establish the following technical and organizational measures:
Access control: Unauthorized persons will be denied access to the data-processing units through adequate safeguarding of the data center, control of access and predefinition of authorized personnel.
Admission control: The data processing systems will not be used by unauthorized persons. To ensure this, the following measures were taken: access protection measures, password protection and exclusive use of safe transmission channels.
Access control: The access authorization for personnel is restricted to the extent that each member of staff can only access or influence those processes that are necessary for the execution of her or his work. In addition, firewall systems and measures for user authorization as well as authentication exist.
Transmission Control: For purposes of rendering the contractual services data will exclusively be transmitted to the recipients concerned to the corresponding counterpart. Upon customer's request transmitted data may be encrypted as an additional service if encrypted data has been provided to Eleven.
Input control: As a general rule, clients will maintain their own personal data or transmit such data either directly or by engaging third parties. Changing, removing or entering data through Eleven will only be carried out in special cases and upon specific request by the client, provided it is technically possible.
Order control: Eleven guarantees that personal data concerning the client and provided by the client within the scope of the data processing contracted will be processed exclusively by Eleven.
Availability control: The client guarantees to have taken all necessary measures in order to gain highest possible availability of Eleven’s service. This can be achieved by implementing redundant systems, backups as well as adequate measures for disaster control.
Separation control: An impermissible mergence of data outside their appropriation can be ruled out by implementing Eleven’s technical processes.
The technical and organizational measures can be adjusted to the technical and organizational developments during the term of the contract.
4. Correcting, deleting and blocking of data
Correcting, deleting or blocking personal data may be carried out by Eleven only after receiving specific instructions by the client. Eleven covenants to design its infrastructure in such a way that it corresponds with the client’s needs and ensures immediate implementation of client’s instructions.
5. Eleven’s duties
Eleven covenants to comply with data secrecy in accordance with § 5 of the German Data Protection Act (BDSG) and to respect the same privacy protection rules which apply to the client. Eleven covenants to only deploy staff that is bound to data privacy protection according to the BDSG. Eleven covenants to train and inform its staff regarding the regulations of data protection. In addition Eleven will monitor the compliance of data protection regulations.
6. Sub-contractor relations
The engagement of sub-contractors is only permitted with the prior written consent of the client. In any case, Eleven is obligated to contractually ensure that the agreed terms of data protection also apply to contractors.
7. Client’s rights
The data security engineer of the company or his representative is entitled to monitor data prior to processing as well as in regular intervals as appropriate to ensure compliance to regulations and fulfillment of contractual agreements – especially the technical and organizational measures as stated by Eleven – particularly by collecting information and inspecting the premises in which such works are carried out. Therefore, all necessary documents must be made accessible to the data security engineer of Eleven. Eleven has to reasonably support such monitoring.
Eleven is obliged to immediately inform the client of violations against regulations for personal data protection as well as of violations against agreed terms and conditions. The contracting party is responsible for any damages a client may incur as a result of any violations of the BDSG or other regulations in regard to data protection within a contractual arrangement.
In case any protected data of the client should become endangered by actions of third parties (e.g. legal proceedings or repossession) through insolvency proceedings or equivalent or other legal proceedings Eleven will inform the client without undue delay. The objection against the right of retention according to § 273 of the German Commercial Code (BGB) is herewith excluded.
Eleven may only collect, process and use personal data in accordance with client’s instructions. During the entire duration of the contractual agreement Eleven is bound to client’s instructions.
10. Return, deletion and termination
Eleven will return any documents and results of work in connection with the contractual relationship to the client after finalization of contractual works. The data carriers are to be handed over to the client or must be physically deleted. Security copies for purposes of liability and warranty claims remain unaffected. Eleven will keep these safe until returned to the client upon first request. Eleven will secure the data carriers by means of duly safekeeping and archiving to protect against damage and loss. Backups are to be locked by appropriate measures in such a way so that any use by Eleven is excluded. Documents and data that are no longer needed may only be destroyed after prior written consent of the client. An adequate proof of such destruction must be provided
*) In case of doubt the German version shall prevail.