Common use of Processing Activities Clause in Contracts

Processing Activities. The following processing activities will be carried out by the Processor on behalf of the Controller: [Collection of data on the Controller’s websites either via direct submissions from visitors on the Controller’s websites or from behavioral analytics tracking the Controller’s website, systematization and analysis of data and storing of data via sub-processors and thus transferring data to sub- processors. Data will be accessed by the Processor for the purpose of maintenance, global analytics or support to the Controller. Upon instruction from the Controller, the Processor forwards the Controller’s data to third parties appointed by the Controller.] PRE-APPROVED SUB-PROCESSORS The following sub-processors used by the Processor are pre-approved by the Controller: Amazon Web Services, Inc The Rocket Science Group, LLC (Mailchimp) Help Scout, Inc This appendix constitutes a part of the DPA and must be filled out by the Parties. The Parties have agreed to the following security measures to be taken in connection with the Processors processing of personal data on behalf of the Controller: PHYSICAL ACCESS CONTROL Measures to prevent physical access of unauthorized persons to IT systems that handle personal data: [Buildings and systems used for data processing are safe. Data processing media is stored properly and is not available to unauthorized third parties, thus such media is kept locked when unattended. The Processor only uses high-quality hard- and software and continues to update these if relevant.] SYSTEM ACCESS CONTROL Measures to prevent unauthorized persons from using IT systems: [The Processor maintains an authentication system for accessing personal data processing systems. Employee accounts are not shared and inactive sessions are terminated after 30 minutes.] DATA ACCESS CONTROL Measures to ensure that the Processors employees only have access to the personal data pursuant to their access rights: [The access to personal data is role based. Data can only be accessed by the Processor or the Controller. The Processor has introduced login and password procedures ensuring that only employees with access rights have access to personal data. The Processor keeps a list of employees that have access to the Controller’s data, and only key employees have access to databases.] TRANSMISSION ACCESS CONTROL Measures to ensure that personal data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via transmission systems: [All data submitted by the Controller is transferred to the Processor encrypted, if the Controller’s website is running on a secure HTTPS connection.]