Common use of Use of Processors Clause in Contracts

Use of Processors. A Party shall notify the other Party in writing or text form of its intention to appoint a new Processor. If a notified party notifies the appointing party in writing within thirty (30) days of receipt of such notice of reasoned objection to the proposed appointment, the parties shall negotiate in good faith a mutually acceptable alternative solution. If such alternative is not agreed within two (2) months of the objection, either party shall have the right to terminate the Services to the extent that they require the use of the proposed Processor. ANYBILL has taken the following technical and organizational measures 1. Is a security concept in accordance with Art. 32 GDPR in place? yes (please provide) no Recognition of international standards: Certification in accordance with ISO 27001 Certification in accordance with IDW PS 330 Certification in accordance with IDW RS FAIT 1 other: 2. If physical access control measures have been taken to prevent unauthorized persons from physically accessing systems, data processing facilities or -processes? yes no Measures: Access control systems, readers (magnetic/chip card) Key management/documentation of the key issue Securing doors (electric door opening, combination locks, etc.) Erection of fences Security doors/windows Window and door panels Office for internal security, gatekeeper Alarm system or burglar alarm system Video surveillance Special security for server rooms Employee or authorization cards Restricted access areas Registration and accompaniment of visitors 3. Have logical access control measures been implemented to prevent unauthorized access to data processing systems? yes no Measures: Personal and individual login for the use of systems or company networks and additional access IDs if required Password assignment (definition of password requirements in terms of complexity and update intervals) Single sign-on Separate system login for certain applications Automatic closing of programs after a certain time without user activity (also password-protected screen saver or automatic setup of work breaks) Electronic documentation of all passwords and encryption of this documentation to protect against unauthorized access Personalized chip cards etc. Security training and ensuring employee awareness (including training on phishing and social engineering) 4. Have data access control measures been taken to ensure that only authorized persons have access to the data included in their access rights and that these persons have only limited access to the data? yes no Measures: Access management (role concept) Differentiated authorizations Profiles Castors Documentation of authorizations Release routines Evaluation of notifications Audits / monitoring (e.g. ISO certification, SOX compliance) Encryption of CD/DVD-ROM, external hard disks and/or laptops (e.g. using OS, True Crypt, Safe Guard Easy, WinZip, PGP) Double check Distribution of duties Task-related assignment of release profiles Password ID, etc. 5. Have measures been taken to control data transfers to ensure the confidentiality and integrity of personal data during the transfer? Transmission and yes no Measures: Encryption of e-mails ensure the transmission of data carriers? Encryption of CD/DVD-ROM, external hard disks and/or laptops (e.g. using OS, True Crypt, Safe Guard Easy, WinZip, PGP) Logging Securing the transport of data carriers Secure WLAN SSL encryption of Internet connections Documentation of the transmission points and channels Pseudonymization/anonymization of personal data 6. Have measures been taken to prevent the unauthorized reading, copying, modification or deletion of data carriers? yes no Measures: Encryption of CD/DVD-ROM, external hard disks and/or laptops (e.g. using OS, True Crypt, Safe Guard Easy, WinZip, PGP) Securing the transportation of data media Guideline for the deletion/destruction/destruction of data carriers etc. 7. Have measures been taken to prevent the unauthorized input of data as well as unauthorized access, unauthorized modification and unauthorized deletion of stored personal data? yes no Measures: Personal and individual login for the use of systems or company networks Password assignment (definition of password requirements in terms of complexity and change intervals) Management of authorizations (authorization concept) Differentiated authorizations Profiles Castors Documentation of authorizations Security training and ensuring employee awareness (including training on phishing and social engineering) 8. Have measures been taken to control data entry that make it possible to determine who has access to personal data? yes no Measures: Access authorization data was accessed, changed, deleted or transferred and in what way? Registration within the system Security and recording software Functional responsibility Double-checks 9. Access to personal data and documents Is every login, entry, change, deletion and transfer registered? (Read accesses may also need to be monitored). yes no What exactly is registered? Entry, modification, deletion, transmission, audit logs Can the registered information be related to an individual person? yes no Where and how is the registered information stored? Database/audit logs For how long is the registered information stored and when is it deleted? Database no deletion, audit logs stored for 7 days 10. Have policy control measures been taken to ensure that the processing of personal data is carried out strictly in accordance with the controller's policies? yes no Measures: Written commissioning of order processing in accordance with Art. 28 GDPR including the provisions on the rights and obligations of the controller and the seller Informing all employees with access rights Regular additional briefings Obligation of employees to maintain confidentiality in accordance with Art. 28 para. 3 sentence 2 letter b) GDPR Regular data protection checks by the company data protection officer Appointment of contact persons and responsible project managers for the respective assignment Service contracts relating to monitoring Internal guidelines for dealing with situations relevant to data protection 11 Have availability control measures been taken t o p r o t e c t against accidental destruction or loss of personal data? yes no Measures: Backup procedure Storage on mirrored hard disks Ensuring an uninterrupted power supply Storage option for backups (secure, separate areas, etc.) Virus protection/firewall Use of secure and resilient servers Air conditioning Fire protection and extinguishing water protection Alarm systems Server virtualization Appropriate archiving Plan to continue operations Emergency drills Emergency plans Error and recovery plans etc.