Products
Data Processing Agreement
Annex 1
Data Processing Agreement
Data Processing Agreement between payever GmbH, Rödingsmarkt 20, 20459 (“payever”) and its Business Customer
Preamble
1
Scope
When providing the services pursuant to the General Terms and Conditions for Business Customers (the “Main Agreement“), payever processes personal data provided by the Business Customer in order to provide the services, and the customer functions as the data controller for purposes of data protection law (the “Customer Data“). This Annex specifies the data protection duties and rights of the Parties in connection with the processing of the Customer Data for the purpose of rendering the services under the Main Agreement.
2
Scope of the contract / authority of the Customer to issue instructions
2.1
payever will process the Customer Data exclusively on order and in accordance with the instructions of the Customer unless payever is required by the law to do otherwise. In the latter case, payever will inform the Customer about these legal requirements prior to the processing unless the relevant law does not prohibit such notification on the basis of important public interests.
2.2
The processing of Customer Data by payever is carried out exclusively in the manner and scope and for the purpose specified in Appendix 1 to this Annex; the processing involves exclusively the types of personal data and categories of data subjects set forth in Appendix 1.
2.3
The term for the processing corresponds to the term of the Main Agreement.
2.4
The instructions are conclusively set forth in the content of the Main Agreement and this present Annex unless mandatory provisions in data protection law require additional instructions.
3
Requirements for personnel
3.1
payever must impose obligations to maintain confidentiality about the processing of Customer Data on all persons who process Customer Data.
3.2
payever will make sure that natural persons who work for payever and have access to the Customer Data only process the data according to the instructions of the Customer, unless they are required to process the data pursuant to the law of the European Union or the Member States.
4
Security in the processing
4.1
payever will take all appropriate technical and organizational measures required to provide a reasonable level of protection for the Customer Data appropriate for the risk, taking into account the state of the art in technology, the costs and type and scope of implementation, the circumstances and the purpose of the processing of the Customer Data as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of the data subjects.
4.2
payever must take the technical and organizational measures specified in Appendix 2
to this Annex prior to the beginning of the processing of the Customer Data, and payever must maintain these measures during the course of the Main Agreement or replace them by at least equivalent measures as well as make sure that the processing of Customer Data is carried out in accordance with these measures.
5
Use of additional contract processors
5.1
The Customer hereby generally approves the use of additional contract processors by payever. The present, additional contract processors used by payever are designated in Appendix 3.
5.2
payever will inform the Customer about any intended change with regard to the involvement or replacement of additional contract processors by sending an email to the email address entered in the payever Account. The Customer is entitled to raise an objection to any intended change within 4 weeks. If the Customer objects, payever is prohibited from making the intended change. In the case of permitted changed, payever will update the list of subcontractors in Appendix 3 accordingly and automatically provide the updated list to the Customer.
5.3
payever will impose data protection obligations by contract on each further contract processor which are at least equivalent to the duties for payever established in this present Annex.
6
Rights of the data subjects
6.1
payever will all possible support, using technical and organizational measures in exchange for compensation, the Customer in complying with its duties to answer requests by data subjects exercising their rights.
6.2
payever will especially inform the Customer without undue delay if a data subject directly contacts payever with a request to exercise the data subject’s rights with regard to the Customer Data.
7
Other duties of payever to provide support
7.1
payever will report to the Customer every violation of the protection of Customer Data without undue delay after learning about such a violation, especially events which lead to the destruction, loss, modification or unauthorized disclosure of or access to Customer Data.
7.2
In the event that the Customer is required to inform the supervisory authorities and/or data subjects pursuant to Art. 33, 34 GDPR, payever will support the Customer upon request in complying with these duties in exchange for compensation.
7.3
payever will provide all possible support to the Customer in exchange for compensation in the case of any data protection assessments to be carried out and any subsequent consultations with the supervisory authorities under Art. 35, 36 GDPR.
8
Deletion and return of data
8.1
payever will either delete or return to the Customer all Customer Data at the instruction of the Customer when the Main Agreement ends, unless payever is required by law to continue to store the Customer Data.
9
Proof and inspections
9.1
payever declares its consent that the Customer is entitled, upon scheduling a date, to itself monitor the compliance with the provisions on data protection and data security as well as the contractual agreements in a reasonable and necessary extent or to have such an inspection conducted by third parties retained by the Customer, especially by means of obtaining information and reviewing the stored data and the data processing programs as well as by examinations and on-site inspections which are conducted during normal business hours at the own expense of the Customer and without disturbing operations.
9.2
payever will receive from the Customer compensation for payever’s efforts in connection with this monitoring.
Date [18.05.2018]
Appendix 1 – Information for data processing
Purpose, type and scope of data processing, type of the data and group of data subjects
Appendix 2 – Technical and organizational measures by payever
payever will take appropriate technical and organizational measures to achieve a level of protection reasonable for the risk, taking into account the state of the art in technology, the costs and type of implementation, the scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of natural persons. These measures include:
Infrastructure and physical security measures
The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:
•
construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)
•
interruption-free electric power supply
•
modern, fire early detection system
•
installation of entry authorization for employees and third parties, including the respective documentation
•
identity cards or code cards
•
certain security areas with the own entry control (“closed shops”)
•
rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)
•
24/7 servicing by qualified personnel
•
installation work by qualified technicians
Infrastructure and physical security measures
The data of the Customer are stored in external data center parks which are certified in accordance with the internationally recognized standard for information security DIN ISO/IEC 27001. The physical security measures include, but are not limited to:
•
construction measures (fences, monitoring cameras, locked doors, gates and windows, etc.)
•
interruption-free electric power supply
•
modern, fire early detection system
•
installation of entry authorization for employees and third parties, including the respective documentation
•
identity cards or code cards
•
certain security areas with the own entry control (“closed shops”)
•
rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)
•
24/7 servicing by qualified personnel
•
installation work by qualified technicians
Security measures for internal networks:
payever has a secure internal network for collecting, processing and using the Customer Data, and payever maintains this network. For this purpose, payever protects the data communication between the data centers with VPN and between individual payever service components with SSL. payer uses a secure encryption process (RSA 4096bit) for the internal processing of confidential and sensitive data.
payever also implements and maintains reasonable firewalls for the protection of the internal networks against unauthorized access to the data, including, but not limited to, defending against dynamic IPs. All user logins, IPs, changes in data files and http access which are improperly used are monitored by a system and communicated to payever (alerting). All firewall settings are examined at least once each quarter and adjusted in accordance with the market standard.
Internal measures at the company:
payever has implemented numerous internal measures at the company. These measures include:
•
entry control for all persons entering the business by way of rooms that can be locked and accompanying visitors
•
security for all end-devices using passwords
•
introduction of access authorization for employees on the basis of an access authorization concept, including the corresponding documentation with differentiated access rules (e.g. partial block, exact user roles or profiles)
•
binding guidelines and procedures for the employees with regard to data security and data processing
•
identification of the end-device and/or user
•
automatic reporting of user IDs which have not been used for a certain period of time
•
rules and requirements for third parties (visitors, customers, cleaning personnel, contractors, etc.)
•
use of encryption for data files that are critical with regard to security
•
guidelines for the organization of data files
•
user name and password
•
guidelines for creating a secure password
•
separation of production and test environments for libraries and data files
•
backup routine with regular backups
•
guidelines for the production of backup copies
•
existence of an emergency plan (backup emergency plan)
•
determination of binding or potential storage locations for data
•
electronic reporting of data processing, especially use, modification and deletion of data
•
continuous updating of the used software (e.g. with updated, patches, fixes etc.)
•
guidelines for documentation of software and IT processes
payever also has implemented reasonable measures for separation monitoring so that there is assurance that the data collected for different purposes can be processed separately:
•
separation of test data and production data
•
authorization concept (logical separation)
•
separation of the data according to customers
payever reserves the right to update or adjust these technical and organizational measures over the course of time, to the extent such adjustments do not lead to a deterioration of the general security of the services by payever as a contract data processor.
Appendix 3 – List of subcontractor
Solutions
Composable Checkout
B2C Buy Now Pay Later
B2B Buy Now Pay Later
Consumer Finance
Embedded Lending
Embedded Payments
Pay by Bank
Point of Sale
Pay by Link
Pay by QR
Sustainability
Plugins
Shopify
Shopware 5, 6 & Cloud
Magento 1 & 2
Commercetools
WooCommerce
Prestashop
Plentymarkets
OXID
JTL 4 & 5
xt:Commerce
Opencart
Oro Commerce
CCV Shop
Dan Domain
Smartstore
Industries
PSPs & Gateways
E-Commerce Platforms
Point of Sale Systems
SaaS Providers
Banks
Insurers
Fintechs
Resources
About payever
Careers
Press
API Documentation
Help Center
Become a Merchant
Become a Partner
Contact Us
Contacts
Message
Ads
Site
Shop
Connect
Products
Value Added Services
Settings
Connect
Transactions
Point of Sale
Checkout
Checkout Solutions
Products
Checkout Solutions
Conversational Commerce
Social Commerce
No Code Builder
AI powered PIM
Value Added Services
Sustainability
Pay by QR
Pay by Link
Point of Sale
Pay by Bank
Embedded Payments
Embedded Lending
B2B Buy Now Pay Later
B2C Buy Now Pay Later
Composable Checkout
Solutions
Consumer Financing
Pay by Link
Smartstore
Dan Domain
CCV Shop
Oro Commerce
API
Opencart
xt:Commerce
JTL 4 & 5
OXID
Plentymarkets
Prestashop
Point of Sale
WooCommerce
Commercetools
Magento 1 & 2
Shopware 5, 6 & Cloud
Shopify
Plugins
Connections