Order processing contract (OPC)

Annex 1 to the contract of the currently valid Terms of Use

This English translation is provided for convenience only. In case of any discrepancies or conflicts between the German and English versions, the German version shall prevail and be binding.

 

Order processing contract (OPC)                   

Between
Ihnen, dem „Nutzer“ der Ghostwraiter Software und Ihrer Dienste,
–   hereinafter referred to as “Client”

and
us, DataClue GmbH,
–   hereinafter referred to as “Contractor”

on order processing within the meaning of Art. 28 (3) of the General Data Protection Regulation (GDPR).

 

Preamble

This Annex specifies the data protection obligations of the contracting parties arising from the current contract of the Terms of Use (hereinafter also referred to as the “Contract”) in its details described order processing. It applies to all activities related to the Contract and in which employees of the Contractor or persons commissioned by the Contractor process personal data (“Data”) of the Client.

 

§ 1     Subject matter, duration and specification of the order processing

The subject matter and duration of the contract as well as the type and purpose of the processing are set out in the contract. In particular, the following data are part of the data processing:

Type of data Nature and purpose of data processing Categories of affected persons
  • E-mail content (incl. attachments)
  • Analysis by AI to generate text suggestions for email responses and other text generation
  • Users of the software, e-mail senders and recipients
  • Email metadata (e.g. date, subject, sender, recipient)
  • Support for AI analysis to contextualize and improve text generation
  • Users of the software, e-mail senders and recipients
  • User information (e.g. user ID, account data)
  • Authentication and authorization of users, personalization of generated texts
  • Users of the software

The term of this annex is based on the term of the contract of the Terms of Use (ToU), unless the provisions of this Order processing contract (OPC) impose further obligations.

§ 2     Scope of application and responsibility

  1. The contractor processes personal data on behalf of the client. This includes activities that are specified in the contract and in the service description. Within the scope of this contract, the client is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the contractor and for the lawfulness of the data processing (“controller” within the meaning of Art. 4 No. 7 GDPR).
  2. The instructions are initially set out in the contract and may subsequently be amended, supplemented or replaced by the Client in writing or in an electronic format (text form) to the office designated by the Contractor by means of individual instructions (individual instructions). Instructions that are not provided for in the contract shall be treated as a request for a change in performance. Verbal instructions must be confirmed immediately in writing or in text form.

§ 3   Obligations of the contractor

  1. The Contractor may only process data of data subjects within the scope of the order and the instructions of the Client unless there is an exceptional case within the meaning of Article 28 (3) a) GDPR. The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.
  2. The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take technical and organizational measures for the appropriate protection of the Client’s data that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR). The Contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. The client is aware of these technical and organizational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.
  3. If agreed, the Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects in accordance with Chapter III of the GDPR and in complying with the obligations set out in Art. 33 to 36 GDPR. (Note: The parties may agree a remuneration provision in the contract).
  4. The Contractor warrants that the employees involved in the processing of the Client’s data and other persons working for the Contractor are prohibited from processing the data outside of the instructions. Furthermore, the Contractor warrants that the persons authorized to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality/secrecy shall continue to exist even after termination of the order.
  5. The Contractor shall inform the Client immediately if it becomes aware of any violations of the protection of the Client’s personal data.
    The Contractor shall take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects and shall consult with the Client without delay.
  6. The Contractor shall inform the Client of the contact person for data protection issues arising within the scope of the contract.
  7. The contractor guarantees to comply with its obligations under Art. 32 para. 1 lit. d) GDPR to implement a procedure to regularly review the effectiveness of the technical and organizational measures to ensure the security of the processing.
  8. The Contractor shall rectify or erase the contractual data if instructed to do so by the Client and if this is covered by the scope of the instructions. If deletion in compliance with data protection regulations or a corresponding restriction of data processing is not possible, the Contractor shall take over the processing of data carriers and other materials in compliance with data protection regulations on the basis of an individual order by the Client or return these data carriers to the Client, unless already agreed in the contract. (Note: The parties may agree a remuneration provision for this in the contract).
    In special cases to be determined by the client, storage or handover shall take place; remuneration and protective measures for this shall be agreed separately, unless already agreed in the contract. (Note: The parties may agree a remuneration provision for this in the contract).
  9. Data, data carriers and all other materials must either be returned or deleted at the request of the client after the end of the order.
    In the case of test and scrap materials, an individual order is not required.
    If additional costs are incurred due to deviating specifications for the release or deletion of the data, these shall be borne by the client.
  10. In the event of a claim against the Client by a data subject with regard to any claims under Art. 82 GDPR, the Contractor undertakes to support the Client in defending the claim to the extent possible.

 

§ 4   Obligations of the client

  1. The Client must inform the Contractor immediately and in full if it discovers errors or irregularities in the results of the order with regard to data protection regulations.
  2. In the event of a claim against the client by a data subject with regard to any claims under Art. 82 GDPR, Section 3 (10) shall apply accordingly.
  3. The Client shall provide the Contractor with the contact person for data protection issues arising within the scope of the contract.

 

§ 5   Inquiries from affected persons

  1. If a data subject contacts the Contractor with requests for rectification, erasure or access, the Contractor shall refer the data subject to the Client, provided that the data subject can be assigned to the Client according to the information provided by the data subject. The Contractor shall forward the data subject’s request to the Client without delay. The Contractor shall support the Client within the scope of its possibilities upon instruction to the extent agreed. The Contractor shall not be liable if the request of the data subject is not answered by the Client, is not answered correctly or is not answered on time.

 

§ 6   Verification options

  1. The Contractor shall provide the Client with evidence of compliance with the obligations set out in this contract by suitable means.
  2. Should inspections by the client or an auditor commissioned by the client be necessary in individual cases, these shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures that have been put in place. If the auditor appointed by the Client is in a competitive relationship with the Contractor, the Contractor shall have the right to object to this.
    The Client agrees to the appointment of an independent external auditor by the Contractor, provided that the Contractor provides a copy of the audit report.
    The Contractor may demand remuneration for assistance in carrying out an inspection if this is agreed in the contract. The cost of an inspection for the Contractor is generally limited to one day per calendar year.
  3. Should a data protection supervisory authority or another sovereign supervisory authority of the client carry out an inspection, paragraph 2 shall apply accordingly. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality, where a breach is punishable under the German Criminal Code.

 

§ 7   Subcontractors (other processors)

  1. The use of subcontractors as additional processors is only permitted if the client has given its prior consent.
  2. A subcontractor relationship requiring consent exists if the Contractor commissions other contractors to provide all or part of the service agreed in the contract. The Contractor shall enter into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.
    The contractually agreed services or the partial services described below are carried out with the involvement of the following subcontractors:

    Name and address of the subcontractor Description of the partial services
    • Amazon Web Services, Inc.
      410 Terry Avenue North
      Seattle, WA 98109-5210, U.S.A.
      United States
      www.aws.amazon.com
    • Cloud infrastructure and hosting services for processing the content provided as part of the use of Ghostwraiter
    • Microsoft Azure Microsoft Ireland Operations Ltd
      One Microsoft Place
      South County Business Park
      Leopardstown, Dublin 18 D18 P521, Irland
      www.azure.microsoft.com
    • Cloud infrastructure and hosting services for processing the content provided as part of the use of Ghostwraiter
    • Render
      525 Brannan St Ste 300
      San Francisco, California 94107
      United States
      www.render.com
    • Cloud infrastructure and hosting services for processing the content provided as part of the use of Ghostwraiter

    The Contractor shall obtain the Client’s consent before engaging additional or replacing listed subcontractors, whereby this consent may not be refused without good cause under data protection law.

  3. If the contractor places orders with subcontractors, it is the responsibility of the contractor to transfer its data protection obligations under this contract to the subcontractor.

 

§ 8   Duty to inform, written form clause, choice of law

  1. Should the Client’s data at the Contractor be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the “controller” within the meaning of the General Data Protection Regulation.
  2. Amendments and supplements to this Annex and all its components – including any assurances made by the Contractor – require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that it is an amendment or supplement to these Terms and Conditions. This also applies to the waiver of this formal requirement.
  3. In the event of any contradictions, the provisions of this annex on data protection shall take precedence over the provisions of the contract. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of the Annex.
  4. German law applies.

 

§ 9   Liability and compensation

  1. The client and contractor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR.