Policies and legal docs

We care about personal data — isn't that what everybody is saying? Data processing potentially including personal data is happening on multiple levels with web hosting. We have to store IPs for security reasons. We have to keep billing related data for 10 years. And most importantly: You are storing your code, uploads and databases here.

The below agreement is covering cases where you — the client — are collecting and processing personal data on our platform. It offers contractual terms that meet GDPR requirements. It is desgined for B2B clients operating in the EU.

The source of this document is here: github.com/fortrabbit/legal/blob/master/data-processing-agreement.md. This is a translated version and is provided for your convenience "as is". The original legally binding German version can be found here: github.com/fortrabbit/legal/blob/master/auftragsdatenverarbeitung-vertrag.md

Data processing agreement by fortrabbit, translated

last modified: 07th June 2018

1. Introduction, scope, definitions

  1. This contract is concluded between the customer of fortrabbit GmbH, hereinafter referred to as "client", and fortrabbit GmbH, hereinafter referred to as "contractor". It supplements every existing hosting contract between the contractor and the client, hereinafter also referred to as the "main contract", when the client processes personal data on the hosting platform of the contractor. In his area of ​​application he proceeds to the principal contract of the contractor.
  2. This contract governs the rights and obligations of client and contractor, hereinafter referred to as the parties.
  3. This contract applies to all activities in which employees of the contractor or subcontractors commissioned by it (subcontractors) process personal data of the client.
  4. Terms used in this agreement shall be understood as defined in the EU General Data Protection Regulation. Insofar as declarations have to be made in the following "in writing", the written form according to § 126 BGB is meant. Incidentally, declarations may also be made in other forms insofar as adequate verifiability is ensured.

2. Subject and duration of processing

  1. The contractor provides web hosting services. The client receives the possibility to process data: save, modify, transmit, delete. The client receives access to the web space and databases. The activity of the contractor is limited to the provision of this IT infrastructure.
  2. Processing starts from the date on which the client makes use of the services and shall continue for an indefinite period until termination of this contract or the main contract by a party and the subsequent final deletion of any personal data.

3. Purpose of the data processing

  1. The client processes data for its own purposes. He is not obliged to disclose the purpose of the processing to the contractor.
  2. The client alone is responsible for the type and structure of the data. The contractor has no influence on the type of data and the circle of those affected.

4. Obligations of the contractor

  1. The contractor processes personal data exclusively as contractually agreed or as instructed by the client, unless the contractor is legally obliged to perform certain processing. If such obligations exist for him, the contractor shall inform the client of these prior to processing, unless the communication is prohibited by law. In addition, the contractor uses the data provided for processing for no other, especially not for own purposes.
  2. The contractor confirms that he is aware of the relevant general data protection regulations. He observes the principles of proper data processing.
  3. The contractor undertakes to strictly observe confidentiality during processing.
  4. Employees who are able to obtain knowledge of the data processing must undertake in writing to maintain confidentiality, insofar as they are not already subject to a relevant secrecy obligation by law.
  5. The contractor warrants that the persons involved in the processing have been made familiar with the relevant provisions of data protection and this contract before the start of processing. Appropriate training and awareness-raising measures should be repeated regularly. The contractor shall ensure that persons employed for the processing of orders are regularly adequately instructed and monitored with regard to the fulfillment of data protection requirements.
  6. If the client is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against him, the contractor undertakes to support the client to the extent necessary, insofar as the processing on the order is concerned.
  7. The contractor may only provide information to third parties or the data subject with the prior consent of the client. He will immediately forward inquiries directed to him to the client.
  8. If required by law, the contractor shall appoint a competent and reliable person as data protection officer. It has to be ensured that there are no conflicts of interest for the commissioner. In cases of doubt, the client can contact the data protection officer directly. Changes in the person or the internal tasks of the representative shall be communicated by the contractor to the client without delay.
  9. Order processing takes place within the EU or the EEA as well as on data processing equipment of the company Amazon Web Services, partly in the USA. Any transfer to a third country may only take place with the agreement of the contracting authority and under the conditions set out in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this Treaty. With respect to the above-described use of Amazon Cloud, consent is given upon conclusion of the Agreement.

5. Technical and organizational measures

  1. The data security measures described at www.fortrabbit.com/security are determined to be binding.
  2. They define the minimum owed by the contractor. The description of the measures must be made in such detail that it is clear to a knowledgeable third party at any time, solely on the basis of the description, what the required minimum should be.
  3. A reference to information that can not be obtained directly from this agreement or its annexes is not permitted.
  4. The data security measures can be adapted to the technical and organizational development as long as the agreed level is not undershot.
  5. The contractor must implement without delay any changes necessary to maintain information security.
  6. Changes are to be communicated to the client immediately.
  7. Significant changes are to be agreed between the parties.
  8. Insofar as the security measures taken do not or no longer meet the requirements of the client, the contractor shall inform the client immediately.
  9. The contractor warrants that the data processed in the order will be strictly separated from other data.
  10. Copies or duplicates are not made without the knowledge of the client. Excluded are technically necessary, temporary reproductions, as far as an impairment of the here agreed data protection level is excluded.
  11. The Contractor will provide regular proof of fulfillment of its obligations under the website www.fortrabbit.com/security, in particular the full implementation of the agreed technical and organizational measures.

6. Rules for the correction, deletion and blocking of data

  1. Data processed in the context of the order will only be corrected, deleted or blocked by the contractor in accordance with the contractual agreement or the instructions of the client.
  2. If the client permanently violates his contractual obligations, the contractor is entitled to delete the client's Account. In this case, all data will be deleted. The client is informed in advance of this measure.
  3. The contractor will comply with the client's instructions at any time and beyond the termination of this contract.

7. Subcontracting

  1. The contractor employs the following subcontractor: Amazon Web Services.
  2. The commissioning of further subcontractors is permitted, the subcontractors are to be notified in writing to the client prior to the beginning of the data processing. The client can reject subcontractors.
  3. All subcontractors shall be subject to at least data protection obligations that are comparable to those agreed in this contract. Upon request, the client will be given access to the relevant contracts between contractor and subcontractor.
  4. The rights of the client must also be exercised effectively against the subcontractor. In particular, the client must be entitled to carry out inspections at subcontractors at any time, to the extent specified here, or have them carried out by third parties.
  5. The responsibilities of the contractor and the subcontractor must be clearly differentiated.
  6. Subcontracting by the subcontractor is permitted. Paragraphs 2 to 5 apply, mutatis mutandis.
  7. The contractor shall carefully select the subcontractor with special regard to the suitability of the technical and organizational measures taken by the subcontractor.
  8. The forwarding of data processed in the order to the subcontractor is only permitted if the contractor has documented that the subcontractor has completely fulfilled his obligations. The client can inspect the documentation.
  9. Contracting subcontractors who do not carry out on-order processing exclusively from the territory of the EU or the EEA is only possible if the conditions set out in Chapter 4 of this contract are observed. In particular, it is only permissible if and as long as the subcontractor offers adequate data protection guarantees.
  10. The contractor will inform the client on request, which concrete data protection guarantees the subcontractor offers and how proof of this can be obtained.
  11. Subcontractors listed on the website www.fortrabbit.com/sub-processors, hereinafter referred to as the Transparency Page, at the time of signing the contract, will comply with the terms and conditions of the contractor accepted.
  12. The contractor reserves the right to employ new subcontractors or to replace subcontractors.
  13. The contractor publishes changes in subcontractor relations on the transparency page.
  14. The client has the option to track changes on GitHub. The address is: github.com/fortrabbit/legal/blob/master/sub-processors.md.
  15. If the client does not agree with a new subcontractor, the right to immediate termination exists.
  16. Subcontracting relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service.
  17. Additional services such as transport, maintenance and cleaning as well as the use of telecommunication services or user services are not included.
  18. The obligation of the contractor to ensure compliance with data protection and data security in these cases remains unaffected.

8. Rights and obligations of the client

  1. The client alone is responsible for the assessment of the admissibility of the commissioned processing as well as for the protection of the rights of those concerned.
  2. The client issues all orders, partial orders or instructions documented. In urgent cases, instructions can be given orally. Such instructions will be confirmed by the contractor without delay.
  3. The client shall be entitled to comply with the provisions on data protection and contractual agreements with the Contractor to an appropriate extent, or by third parties, in particular by obtaining information and viewing the stored data and data processing programs, as well as other on-site inspections check.
  4. The persons entrusted with the control shall, as far as necessary, allow the contractor access and insight.
  5. The contractor is required to provide the necessary information, to demonstrate procedures and to provide the evidence required to carry out an inspection.
  6. Inspections of the contractor shall be carried out without avoidable disruption of his business operations.
  7. Unless otherwise indicated for urgent reasons to be documented by the client, controls shall take place after reasonable advance notice and during business hours of the contractor, and not more frequently than every 12 months.
  8. Insofar as the contractor provides evidence of the correct implementation of the agreed data protection obligations as stipulated in chapter 5.6 of this contract, a check shall be limited to random samples.

9. Notification requirements

  1. The contractor immediately informs the client of personal data protection breaches. Also justified suspicions on this are to be communicated. The notification must be made at the latest within 24 hours after the contractor's knowledge of the relevant event to an address specified by the client. It must contain at least the following information:
    1. the name and contact details of the data protection officer or other contact point for further information;
    2. a description of the likely consequences of the violation of the protection of personal data;
    3. a description of the actions taken or proposed by the contractor to remedy the breach of personal data protection and, where appropriate, measures to mitigate their potential adverse effects.
  2. Immediate notification of any major problems in the execution of the order as well as breaches by the contractor or persons employed by him against data protection regulations or the stipulations made in this contract.
  3. The contractor shall immediately inform the client of any inspections or measures by supervisory authorities or other third parties, insofar as these relate to order processing.
  4. The contractor undertakes to support the client in the scope of its obligations pursuant to Art. 33 and 34 of the General Data Protection Regulation.

10. Instructions

  1. The client himself has full access to the data at all times, so that it is not necessary for the contractor to cooperate, in particular also for correction, blocking or deletion.
  2. Where the co-operation of the processor is required, the processor shall be obliged to reimburse the reasonable costs incurred. In this case, the person responsible has a comprehensive right to issue instructions on the type, scope and procedure of data processing pursuant to Art. 29 i.V.m. 28 DSGVO too.
  3. The processor must inform the controller without delay if he believes that an instruction violates data protection regulations. The processor shall be entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by a person authorized to do so by the person responsible.
  4. Authorized by the client to issue instructions are all persons with a fortrabbit account, who are registered with the company of the client as an employee. With every directive, the employee will have to legitimize himself.
  5. All employees of the contractor are trained and authorized to receive instructions.

11. Termination of the contract

  1. Upon termination of the contract, the data will be destroyed.
  2. Any existing copies of the data will also be destroyed upon expiry of the retention period, if such exists. The destruction must take place in such a way that it is no longer possible to recover even residual information with justifiable effort.
  3. The contractor is obliged to bring about the immediate return or deletion also with subcontractors.

12. Liability

  1. The contractor is liable in principle only for its own fault.
  2. A liability of the contractor for slightly negligent breaches of duty is excluded, as far as damages from the injury of the life, the body or the health or guarantees are concerned or claims according to the product liability law are not affected.
  3. Furthermore, the liability for the breach of obligations, the fulfillment of which enables the proper execution of the contract in the first place and on whose observance the customer may regularly rely (cardinal obligations) remains unaffected.
  4. The above limitation of liability applies regardless of the legal grounds of liability and also in favor of employees and vicarious agents of the contractor.
  5. A duty of compensation of the contractor against the client is excluded, as far as the damage was caused by the correct implementation of the commissioned service or an instruction given by the client.

13. Special right of termination

  1. The client may terminate the main contract and this agreement at any time without notice ("extraordinary termination") in the event of a serious breach by the contractor of data protection regulations or the provisions of this agreement, the contractor can not or will not execute an instruction from the client or the contractor refuses inspection rights of the client in breach of contract.
  2. A serious breach shall, in particular, exist if the contractor has not materially fulfilled or has not fulfilled the obligations specified in this agreement, in particular the agreed technical and organizational measures.
  3. In the case of insignificant infringements, the client shall set a reasonable deadline for the contractor to remedy the situation. If the remedy does not occur in time, the client is entitled to extraordinary termination as described in this section.

14. Other

  1. Both parties are obliged to confidentially treat all knowledge of business secrets and data security measures of the respective other party obtained in the course of the contractual relationship as regards the termination of the contract.
  2. If there are any doubts as to whether the information is subject to confidentiality, it must be treated as confidential until written approval by the other party.
  3. If the client property is endangered by measures taken by third parties (such as seizure or confiscation), insolvency or settlement proceedings or other events, the client must inform the contractor immediately.
  4. The written form is required for side agreements.
  5. The plea of ​​retention i. P. V. § 273 BGB is excluded with regard to the data processed in the order and the associated data carrier.
  6. Should individual parts of this agreement be ineffective, this does not affect the validity of the agreement otherwise.
Print and download a PDF of this

Do you like our policies, or wonder about changes, or found a typo? See the fortrabbit legal repo on GitHub.

FAQ

How do I get my copy?

You don't need to. This agreement automatically applies to all of our hosting clients processing personal data.

Can I bring my own DPA?

Sorry, we cannot agree to sign customers DPAs. As a small team we also can’t make individual changes to our DPA since we don't have a legal team on staff.