Data Processing Agreement in accordance with Article 28(3) GDPR

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the "Clauses") is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2

Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5

Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.

(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.

(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 6

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7

Obligations of the Parties

7.1. Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor's opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data ("personal data breach"). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions and offences ("sensitive data"), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller's request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

(a) The processor has the controller's general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least four weeks in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(c) At the controller's request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor's obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller's instructions.

(c) In addition to the processor's obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a "data protection impact assessment") where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
4. the obligations in Article 32 Regulation (EU) 2016/679.

(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) in obtaining the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679, shall be stated in the controller's notification, and must at least include:

1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. the likely consequences of the personal data breach;
3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying, pursuant to Article 34 Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller's obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III – FINAL PROVISIONS

Clause 10

Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

1. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
2. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I – LIST OF PARTIES

Controller (hereinafter referred to as "Client"):The customer named in the order form

Processor:

• Name: ZEP GmbH
• Address: Stuttgarter Str. 41, 71254 Ditzingen, Germany
• Name, function and contact details of the contact person: Christian Bopp, Managing Director, support@zep.de
• Data protection officer: Kertos GmbH, Brienner Str. 41, 80333 Munich, Contact: dsb@kertos.io

APPENDIX II – DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data are processed:

• Employees of the client
• Customers and service providers of the client or their employees

Categories of personal data that are processed:

• Contact and address data
• Personnel master data
• Payment
• Time tracking data
• Project data
• Project planning data
• Billing
• Billing data
• Offer data

Sensitive data processed (if applicable) and restrictions or safeguards applied that fully reflect the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for employees who have undergone specific training), records of access to the data, restrictions on onward transfers, or additional security measures:

If the module "Absences & Overtime" is used: sick days or sick periods of employees of the client.

The type of processing and the purpose(s) for which the personal data are processed on behalf of the controller:

Provision and operation of the Software-as-a-Service solution "ZEP – Time Recording for Projects", which, depending on the configuration ordered, can include the following functions in particular:

• Time recording and evaluationsTime recording and time sheets, customers, employees, projects, hourly and daily rate projects, standard working hours per employee, time recording with from and to time as well as duration
• Project planning, plan/actual comparisonPlanned figures for project and task (hours, amount), flat-rate/fixed-price projects, target/actual comparisons
• Prices & Receipts
• Travel expense report
• Planned hours
• Overtime, absenteeism and holidays
• Departments, Branches, Locations
• Document generator for PDF, Word, LibreOffice documents
• Document
• Tickets, Tasks, ToDos
• Resource
• App for iPhone and Android
• SOAP interface
• Salesforce Interface
• Freelancers
• Personio interface
• ZEP Attendance
• Offerings
• Invoicing for invoice planning and invoicing
• Export for Accounting

Duration of processing:

During the term of the separately agreed commercial contract between the Client and the Processor regarding the software solution provided by the Processor

ANNEX III – TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational security measures taken by the controller(s) (including all relevant certifications) to ensure an adequate level of protection, taking into account the nature, scope, circumstances and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.

General

Our technical and organizational measures are based on current standards of ISO 27001.

The high level of protection of our measures is regularly reviewed and adapted to the current state of the art.

Employees are regularly trained in the handling of sensitive data and are obliged to maintain confidentiality.

The handling of data and data processing equipment is regulated in writing (data protection guidelines, work instructions, procedural instructions) and is regularly reviewed.

Insofar as the data processing is carried out within the framework of the cloud services of the sub-processor Amazon Web Services EMEA SARL, the current technical and organizational measures of this sub-processor, which are described on the website https://aws.amazon.com/de/compliance/data-privacy-faq/, apply.

ZEP has taken the following technical and organizational measures within the meaning of Art. 32 GDPR to ensure encryption and pseudonymization, confidentiality, integrity, availability and resilience, recoverability and corresponding verification procedures:

Confidentiality (Art. 32 para. 1 lit. b GDPR)

1.1. Organisational governance

The aim is to ensure that the internal organisation meets the specific requirements of data protection.

a) Organizational instructions (ISO/IEC 27002/2022)

The goals of data protection and information security are laid down in data protection and information security guidelines and are binding for all ZEP employees. In addition, further organizational instructions will be implemented to provide employees with concrete guidelines for the processing of personal data (e.g. remote work policy).

b) Appointment of a data protection officer in accordance with Art. 37 GDPR

The management has appointed a data protection officer. The data protection officer works towards compliance with the provisions of data protection law and fulfils these tasks within the meaning of Art. 39 GDPR. This includes, among other things, support in the establishment and further development of a data protection management system, the creation, further development and monitoring of corresponding guidelines as well as the implementation of regular awareness-raising measures.

c) Obligation of confidentiality and data protection

All employees are obliged in writing to maintain confidentiality and data protection as well as to comply with other relevant laws when the employment contract is handed over or at the latest at the start of employment. The obligation applies beyond the duration of the employment relationship. Freelancers or external service providers are bound to secrecy in writing on the basis of Non-Disclosure Agreements (NDAs) and also sign a contract data processing agreement if they process personal data on behalf of ZEP GmbH.

d) Data protection training

Every employee of ZEP GmbH receives information and leaflets on data protection and confirms this with the employment contract. In addition, regular training courses are carried out as awareness-raising measures. Employees from particularly sensitive areas such as human resources, product development or customer service also receive separate information and training on specific specialist topics if required.

e) Restrictions on the private and business use of communication equipment

ZEP GmbH provides its employees with laptops as communication devices. No company mobile phones will be handed out to employees. The use of private communication devices is excluded (accordingly, there are no regulations on BYOD). Employees of ZEP GmbH are not permitted to use the company e-mail system for private purposes. The Internet system and telephone services may only be used privately to a limited extent. Strict attention must be paid to the separation of private and business data. In addition, ZEP employees are not permitted to process personal data or other data of the customer, in particular from the order processing relationship to the customer order, on private communication devices. The employees of ZEP GmbH undertake to comply with the Information Handling Policy, compliance with which is monitored within the scope of permissible and necessary scope. The Information Handling Policy has explicit examples of the unauthorized private use of the Internet and the company e-mail system. The use of social media is also regulated there.

f) Reliability of staff (gem. ISO/IEC 27002:2022)

ZEP GmbH uses appropriate measures before, during and after employment to ensure that all employees understand, meet and reliably implement the requirements of information security. These include, in particular:

• Pre-screening: Appropriate screening of candidates is carried out prior to recruitment (e.g. identity and reference verification), in accordance with applicable laws, regulations and ethical principles.
• Conditions of employment: Employment contracts contain clear provisions on information security obligations, confidentiality obligations, responsibilities and rules of conduct.
• Awareness-raising, education and training on information security: Employees are regularly trained in information security and data protection topics to ensure a lasting awareness and understanding of their duties.
• Disciplinary Actions: There are documented procedures in place to deal with security or privacy policy violations, including graduated sanctions.
• Post-Termination or Change of Employment Responsibilities: Upon termination or change of employment, a documented offboarding process is conducted to ensure the revocation of access rights, the return of company property, and the maintenance of confidentiality obligations.

1.2 Encryption and pseudonymization of personal data

It is ensured that personal data is stored in the system only in a way that does not allow third parties to identify the data subject.

a) Key management (gem. ISO/IEC 27002:2022)

ZEP GmbH operates a documented procedure for the management of cryptographic keys over their entire life cycle. This procedure includes the creation, distribution, storage, use, modification, blocking, archiving, and secure destruction of keys.

• System Security Policy: An internal policy on the use of cryptographic methods and key management defines responsibilities, security requirements, and permissible algorithms according to the state of the art.
• Key generation and protection: Cryptographic keys are securely generated and stored to prevent unauthorized access, loss, or disclosure. The master key for encrypted data stores is created and managed under the responsibility of the Infrastructure-as-a-Service (IaaS) provider. ZEP GmbH ensures that the provider implements suitable technical and organizational measures in accordance with ISO/IEC 27001.
• Key lifecycle: Management covers all phases of the key lifecycle — from generation and active use to decommissioning and secure deletion. Key compromises are documented and lead to immediate protective measures.
• Use of cryptographic methods: Encryption methods, key lengths and protocols comply with accepted best practices and are regularly reviewed to meet current security standards.
• Password policy: ZEP GmbH has a policy that regulates the selection of suitable passwords, the handling of passwords and the monitoring of passwords.

b) Database and storage encryption

All customer data is always encrypted "at rest" according to AES-128-GCM. Only the systems designated for processing the data may use the encryption keys on the principle of least privilege. Backups are only kept encrypted.

c) Data transmission via encrypted data networks or tunnel connections ("data in transit")

All private data transmitted by the ZEP application to a customer or to other platforms via an insecure or public network is transmitted exclusively in encrypted form. This applies in particular to access to the customer and management system. ZEP guarantees the use of a state-of-the-art encryption method depending on the encryption algorithm compatible on the customer's side (currently HTTPS connections based on Transport Layer Security [TLS 1.2 or higher], keyword "backward compatibility": the customer is responsible for the use of state-of-the-art devices/browsers).

Administrative access to ZEP server systems and the transmission of backups takes place exclusively via encrypted connections, e.g. Virtual Private Network (VPN). A VPN connection is used to access customer systems as part of remote work. Only VPN servers that are under the direct control of ZEP are used. The use of public VPN providers is not permitted.

d) Encryption of mobile storage media

The use of mobile storage media is generally prohibited. In the exceptional case that these are used and data from ZEP is used or processed on them, then these storage media are used exclusively in encrypted form. This applies in particular to the use of USB sticks, external hard drives or similar. The use of private mobile storage media to store customer data is not permitted. This is regulated in the Removable Storage Media Policy.

e) Encryption of storage devices on laptops

All laptops of the key employees of ZEP GmbH are centrally managed and equipped with modern hard disk encryption.

f) Encrypted exchange of information and files.

The exchange of information and files between the customer and ZEP GmbH is generally carried out directly encrypted via the ZEP application (see c.). If Customer's personal data or confidential information needs to be transferred to servers that cannot be sent via TLS-encrypted HTTPS uploads, it will be transmitted using Secure File Transfer Protocol (SFTP) or another state-of-the-art encrypted mechanism. Customer is responsible for requesting or providing such secure data transport as needed.

g) Email encryption

In principle, all e-mails sent by employees of ZEP GmbH or within the ZEP application are encrypted with TLS. Exceptions can be if the receiving mail server does not support TLS. The customer must ensure that the mail server used for the order supports TLS encryption.

1.3 Access control

The Contractor does not use its own, permanently installed server or data center space. Personal data is processed exclusively on servers of certified third-party hosting or cloud service providers that operate their own physical security measures. The contractor's office serves exclusively as a coworking workplace without local data storage of sensitive information. Only mobile devices (laptops) are used on site, which are encrypted at all times and protected against unauthorized access. The office is protected by the following access control measures:

a) Electronic door locks

The entrance doors to the offices of ZEP GmbH are always locked and secured with security locks.

b) Controlled key distribution

There is a central, documented distribution of the keys to the ZEP employees.

c) Supervision and accompaniment of strangers

Persons who do not work for ZEP GmbH, such as external service providers or other external persons, may only enter the offices with prior permission and accompanied by a ZEP employee.

d) Protection of areas with an increased need for protection

Cabinets with increased protection requirements, such as cabinets with contract documents, etc., are always locked after leaving or being used. Access to these lockers is only granted to authorized personnel. Increased protection requirements in the non-technical areas are determined by a representative from the management.

e) Closed doors and windows

ZEP GmbH ensures that all windows and doors are closed or locked outside office hours.

f) Physical and environmental security of server systems in data centers

ZEP GmbH only uses server systems from the data center operator (AWS) that have a valid certification according to ISO/IEC 27001:2022 and thus implement appropriate technical and organizational measures for physical and environmental security, e.g.:

• The data center and the systems used there are housed in inconspicuous buildings that are not recognizable as data centers from the outside, as there are no signs to refer to them.
• The data center itself is protected by physical security measures against unauthorized access both from the outside (e.g. fences, walls) and inside the buildings.
• Access to the data center is managed by electronic access controls and secured by alarm systems that trigger an alarm when the door is opened or kept open.
• Access authorization is granted by an authorized person and revoked within 24 hours of deactivating an employee or vendor entry.
• All visitors must identify themselves and register and are always accompanied by authorized personnel.
• Access to these sensitive areas is also controlled by video surveillance.
• Trained security personnel guard the data center and its immediate surroundings 24 hours a day, 7 days a week.

1.4 Access control

Access to the Contractor's systems and applications is exclusively via secure remote connections. All users have individual user accounts and strong authentication procedures, such as multi-factor authentication. Password policies, automatic locking mechanisms, and encrypted communication connections ensure that only authorized persons have access to productive cloud services and administrative functions.

1.5 Access Control

It is ensured that persons authorised to use an automated processing system only have access to the personal data to which their right of access applies.

a) Role and authorization concept

i) Role and authorization concept for customer system

Administrators of the client have a multi-level role concept for assigning rights at their disposal and can distinguish between viewing and editing rights per function or area within ZEP for individual users.

ii) Role and authorization concept for server/database systems

Access to the server/database system is generally limited to a limited number of trained employees in the field of product development and infrastructure.

b) Assignment of access rights

The allocation of access rights at ZEP GmbH is always based on the "need-to-know" principle. Accordingly, access is only granted to people who need it in a comprehensible way and for as long as they need it. The applicant must conclusively justify the need when applying. The authorization concept is role-based. Each employee is always assigned a specific role. Authorizations other than this role must be justified. The access authorizations are documented centrally and withdrawn by the administrator immediately after the need for access expires. Access is limited to the minimum privileges. Access to the server/database system is approved by the management and is usually carried out according to the 4-eyes principle. The administrators regularly check whether granted permissions are still required. In the event of employee departure, HR managers immediately inform the administrators or the HR department of upcoming changes so that the corresponding authorizations can be revoked. If possible, authorizations are revoked within 24 hours of an employee's departure.

c) Host-based intrusion detection system (IDS)

ZEP uses an intrusion detection system (IDS). This monitors minimum parameters such as suspicious log entries, signatures of known rootkits and Trojans, anomalies in the device file system or brute force attacks. In the event of any anomalies, the responsible employees (operational and product development) will be informed immediately by e-mail and/or other notification.

d) Network security

ZEP's servers and databases are only used on private subnets without public IPs, which ensures that no services are directly accessible from the Internet. Publicly accessible services are routed through load balancers or bastion hosts, which allow only the protocols and ports required for that service. In addition, a web firewall is used to protect against common web exploits and bots that can affect availability or compromise security.

1.6 Permission Control

The use and processing of data protected by data protection law by unauthorized persons is prevented.

a) Use of authentication procedures

Access to personal data is always via encrypted protocols: SSH, TLS 1.2 or higher, HTTPS or comparable protocols.

i) Authentication procedure for IT system/laptop

• Authentication with username and password according to password policy is the minimum security requirement.
• Depending on the capabilities of the laptop, alternative and secure authentication methods can be activated.

ii) Customer System Authentication Procedures(Customer system = access for administrators and users of the customer)

• Authentication with an email address
• To choose a password of your own choice according to internal customer specifications, taking into account the internal rules on the number of characters, the use of numbers and letters as well as special characters
• Resetting the password via a reset link sent by email
• Account lockout after five failed login attempts
• In addition, the customer can control authentication and password security through the integration of OAuth2. In addition, 2-factor authentication is possible and recommended.

iii) Authentication to server/database system(Server/database system = access to the stored data through product development by ZEP)

• Administrative access via VPN, SSH, or AWS API
• Authentication with SSO (MFA enforced)

b) Determination of support and instruction officers

Admin users of the customer can give the option to release the data for support purposes directly in ZEP. The customer service team of ZEP GmbH is obliged to accept orders or to provide and verify information only from the named persons.

c) Prohibition of the disclosure of passwords and the use of "shared accounts"

Both users of ZEP and employees of ZEP GmbH are prohibited from passing on passwords for the use of ZEP as well as the use of so-called "shared accounts" for access to customer and administrative systems (i.e. exclusive use of personal and individual user logins when logging into the system).

d) Automatic blocking in case of inactivity

ZEP employees are instructed to constantly lock their laptops when they are not in use. In addition, an automatic screen lock is set up after 15 minutes of inactivity. Unlocking requires the authentication procedure described in "Authentication procedure for IT system/laptop".

e) Use of anti-virus software

Laptops of ZEP GmbH employees are equipped with state-of-the-art and up-to-date anti-virus software on all operational or operational IT systems. As a matter of principle, no computers may be operated without resident virus protection, unless other equivalent security measures have been taken according to the state of the art or there is no risk. Predefined security settings must not be deactivated or bypassed.

g) "Clean Desk Policy"

ZEP employees are required not to print out or store personal data of customers locally, not to leave work materials lying around in the open and to store them properly. Documents with personal data must be stowed away after use either in lockable cabinets or drawers or disposed of in compliance with data protection regulations.

h) Public wireless networks and connection to the company network

Public wireless networks are used exclusively via a VPN connection provided by ZEP GmbH.

1.7 Separability

It is ensured that personal data collected for different purposes can be processed separately and is separated from other data and systems in such a way that unplanned use of this data for other purposes is excluded.

a) Separation of development, test and operating environments (gem. ISO/IEC 27002:2022)

• Development, test and production systems are logically and technically separated from each other.
• Production data may only be used in test or development environments if it has been completely anonymized or pseudonymized beforehand.
• Access to each environment is limited to authorized roles and is reviewed periodically.
• Changes to systems or applications are first validated in a test or staging environment before they are applied to the operating environment.
• Debugging or diagnostic tools may only be used in the production environment if this is technically mandatory, documented and released.
• Transfers between environments are encrypted or over trusted network connections.
• The entire change process is documented in the change management process and released in a comprehensible manner.

b) Separation in networks (gem. ISO/IEC 27002:2022)

ZEP GmbH separates its networks according to tasks. The following networks are used permanently: operating environment ("Prod") and test environment ("test"). In addition to these networks, other separate networks are created as needed, e.g. for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated physically or by means of virtual networks.

c) Software-side client separation

ZEP GmbH ensures the separate processing and storage of data from different clients via logical client separation based on a multi-tenancy architecture. The assignment and identification of the data is carried out by a separate database for each customer, so that the risk of circumventing client separation through programming errors is excluded. Regular security audits and mandatory code reviews (4 to 6 eyes principle) further secure the architecture.

2. Integrity Measures

Integrity means ensuring the correctness/authenticity of the data and the proper functioning of the systems.

2.1 Transmission control

It ensures that the confidentiality and integrity of private data are protected during the transmission and transport of the storage media.

a) Transport encryption ("Data in Transit")

See "Encryption and pseudonymization of personal data", Ensuring data integrity during transport by calculating checksums.

b) Prohibition of disclosure to unauthorised third parties

A transfer of personal data that is carried out on behalf of the Client may only take place within the scope of the instructions and to the extent that this is necessary for the provision of the contractual services for the Client. In particular, the disclosure of personal data from the order to unauthorized third parties, e.g. by storing it in another cloud storage, is not permitted.

2.2 Input control

The aim is to ensure that it can be checked and determined retrospectively which personal data have been entered or changed into automated processing systems, at what time and by whom.

Logging of system activities in the customer's system and evaluation

Many of the essential system activities are logged. The log entries contain at least: timestamp, user ID, access role, system component or function, activities performed. Logged activities include all input, modification, and deletion actions related to data, users, permissions, or system settings.

3. Measures to ensure availability

The availability of services, functions of an IT system, IT applications or IT networks or even information is given if they can be used by the users at any time as intended.

3.1 Availability control

Ensuring that personal data is protected against accidental destruction or loss.

a) Data backup procedures

ZEP GmbH has implemented a state-of-the-art backup concept for the database with the customer's data stored on it as well as the storage medium with the corresponding documents stored in order to ensure sufficient availability.

b) Geo-redundancy in relation to the server infrastructure of production data and backups

In order to ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, ZEP GmbH ensures that appropriate spatial separation requirements are met with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centers at a sufficient distance or data centers with different availability zones. The backup system is designed so that in the unlikely event of an AWS Region failure, data is not at risk thanks to backup replication across multiple AWS EU Regions.

c) Capacity management

There is capacity management with monitoring and automatic scaling in case of capacity bottlenecks.

d) Warning systems to monitor the accessibility and status of server systems

There is an alert system to monitor the availability and status of server systems. In the event of failures, the infrastructure department is automatically notified to take immediate action to resolve the issue.

e) IT Incident Response Management (gem. ISO/IEC 27002:2022)

ZEP GmbH has a documented procedure for the management of IT faults and security-relevant events. This procedure includes the detection, reporting, analysis and handling of incidents affecting information security or the protection of personal data. ZEP GmbH ensures that appropriate responsibilities, escalation channels and communication channels are defined in order to identify incidents in a timely manner and respond appropriately. In the event of a personal data breach, ZEP GmbH shall immediately inform the controller and provide all relevant information to support compliance with the reporting obligations pursuant to Art. 33 and 34 GDPR. Findings from security incidents are documented, analyzed and incorporated into the continuous improvement of organizational and technical measures to prevent similar incidents in the future.

f) Other measures to ensure availability in the data centers

An automatic fire detection and firefighting system is installed in the data center. The fire alarm system uses smoke sensors throughout the data center environment, in the mechanical and electrical areas of the infrastructure, in the cold rooms, and in the rooms where the generators are housed.

All power supply systems are designed redundantly. In the event of a power failure, an uninterruptible power supply (UPS) ensures that critical areas of the system continue to be supplied with power. The data center also has generators that can supply the entire facility with backup power. The data center is air-conditioned and temperature-controlled. Preventive maintenance measures are carried out to ensure continuous operation.

3.2 Recoverability

It ensures that systems can be reliably restored in the event of a physical or technical failure.

Disaster Recovery Concept

There is a concept for dealing with emergencies/disasters and a corresponding emergency plan. ZEP GmbH guarantees the recovery of all systems on the basis of data backups, usually within 4 hours (Recovery Time Objective – RTO) after confirmation by ZEP-GmbH support (incident acknowledgement). The Recovery Point Objective (RPO) is set to 24 hours.

In the event of an emergency, the restoration is carried out by backups that can be loaded directly from AWS and imported into the respective ZEP instance. Backups are made every night. They are kept daily for the first 14 days, then weekly until week 19. The backups created are regularly tested.

4. Measures for review and evaluation

Description of the procedures for periodically reviewing, evaluating and assessing the effectiveness of the technical and organisational measures.

a) Data protection and information security system

A data protection and information security system has been set up for the planning, implementation, evaluation and adaptation of measures in the area of data protection and data security.

b) Risk management

ZEP GmbH operates a documented process for identifying, assessing and treating risks as part of its information security management system, which is certified according to ISO/IEC 27001. The effectiveness of the technical and organizational measures taken is regularly reviewed and, if necessary, adjusted in order to ensure the security of the processing of personal data on a permanent basis. In addition, the ZEP application is subjected to regular penetration tests in order to be able to identify and treat possible risks.

c) Independent review of information security (gem. ISO/IEC 27002:2022)

i) Conducting audits

• Internal audits on data protection and information security are carried out regularly. The audits are carried out on the basis of common audit criteria/schemes (in particular legal requirements of the GDPR, security standards, etc.) and check in particular the completeness and correctness of guidelines and concepts as well as the documentation and compliance with corresponding processes.
• ZEP GmbH subjects its ISMS to regular external audits by an independent, accredited certification body within the framework of ISO/IEC 27001 certification (initial certification, monitoring and recertification audits). The certificate is linked here.

ii) Verification of compliance with safety guidelines and standards (acc. to ISO/IEC 27002:2022)

Compliance with the applicable security guidelines, standards and other security requirements in the processing of personal data is regularly reviewed. As far as possible, this is done randomly and unexpectedly.

iii) Procedures for the continuous improvement of the data protection and information security management system

Data protection and information security processes also include a regular review and evaluation of the technical and organizational measures taken. There is also an improvement and suggestion system in which employees can participate. ZEP GmbH thus ensures continuous improvement of processes in the handling of personal data.

d) Contract monitoring

It is ensured that personal data processed on behalf of the customer can only be processed in accordance with the customer's instructions.

i) Order processing

The employees of ZEP GmbH are instructed to use personal data of the client only on documented instructions within the framework of the order processing agreement and the user agreement. According to the order processing agreement, ZEP accepts the instructions of the Client both in written form and via the electronic formats offered by the Contractor. Oral instructions are only permissible in urgent cases and must be confirmed by the Client without delay in writing or in an electronic format offered by ZEP.

ii) Careful selection of suppliers

In the case of outsourcing, the commissioning of suppliers/third parties is carried out on the basis of a careful selection process in cooperation with the management and the Data Protection Officer according to established criteria, in particular with regard to data protection and IT security, in particular:

• Review of documentation and compliance with technical and organizational measures in accordance with Art. 32 GDPR
• Depending on the level of protection and scope of personal data, only ISO/IEC 27001 certified companies are commissioned if possible (applies to data centers in any case)

To prevent risks, a risk assessment is also carried out for the respective suppliers as part of the process if the third-party provider regularly works with personal data.

iii) Order processing pursuant to Art. 28 GDPR

The commissioning and use of a subcontractor shall be carried out exclusively in accordance with the order processing agreement between ZEP GmbH and the customer, the statutory provisions and after the conclusion of a corresponding agreement on order processing in accordance with Art. 28 GDPR between ZEP GmbH and the subcontractor. This agreement should, as far as possible, regularly take into account at least the following aspects:

• Agreement on effective control rights (in accordance with the rights of the client, including on-site inspections if possible)
• Agreement on appropriate control and information rights when commissioning further subcontractors
• Agreement on contractual penalties for violations, where necessary and possible
• Processing exclusively according to documented instructions
• Exclusion of inadmissible processing steps
• Prohibition of making copies of personal data (other than backup copies)
• Obligation of the subcontractor's employees to maintain confidentiality
• Participation in safeguarding the rights of data subjects
• Appointing a Data Protection Officer, where required by law
• Obligation to provide information in the event of notifiable violations of the protection of personal data in accordance with Articles 33 and 34 of the GDPR, in the event of operational disruptions and other irregularities in the handling of personal data
• Ensuring the deletion/destruction of data after completion of the order

iv) Carrying out regular checks / requesting evidence

Before the start of the assignment and on a regular basis, ZEP GmbH will satisfy itself of compliance with the technical and organisational measures of the subcontractors commissioned by it or have these proven to itself.

ANNEX IV – LIST OF SUB-PROCESSORS