Data Processing Agreement (DPA)

In accordance with Article 28(3) of the General Data Protection Regulation (GDPR)

1. Subject matter and duration of processing

1.1 The subject matter of this agreement is the rights and obligations of the parties in connection with the provision of services in accordance with the General Terms and Conditions (hereinafter the ‘Main Contract’) and, in particular, the use of the propform.io software to create custom web forms, insofar as the processing of personal data is carried out by maklerform UG (limited liability) (hereinafter the “Contractor”) as a data processor for the customer as the data controller (hereinafter the “Client”) in accordance with Article 28 of the GDPR. This encompasses all activities performed by the Contractor to fulfil the order and which constitute data processing on behalf of the data controller. This also applies even if the order does not expressly refer to this data processing agreement. The services provided by the Client are set out in the General Terms and Conditions and the packages and tariffs described therein. The service package booked by the Client (e.g. Basic, Premium, Enterprise) forms an integral part of this contract.

1.2 This contract is concluded for an indefinite period and is linked to the main contract under which the Contractor processes the Client’s personal data on the Client’s behalf. For as long as the main contract remains in force, the provisions of this contract shall continue to apply until the regular termination of the main contract(s).

1.3 The Client may terminate this contract without notice in the event of a serious breach by the Contractor of data protection regulations or the provisions of this contract. In particular, failure to comply with the obligations agreed in this contract and derived from Article 28 of the GDPR constitutes a serious breach.

2. Nature and purpose of the processing

2.1 The nature of the processing encompasses all types of processing within the meaning of the GDPR for the fulfilment of the contract. Within the scope of the contract, the Contractor processes various data on behalf of the Client. This data is temporarily stored by the Contractor for further processing by the Client. The data is stored within the propform.io software and transferred to the Client’s CRM brokerage software via API.

2.2 The software provides the Client with a modular system for web forms. Once a web form has been published by the Client, the Client may collect various data via the web form. The Client may specify which data is to be collected whilst creating the web form.

2.3 The purposes of processing are all those necessary for the provision of the contractually agreed service.

3. Type of personal data

3.1 The type of data that the Contractor processes on behalf of the Client cannot be definitively defined, as this depends on the web forms and the questions in the Client’s web form.

3.2 Normally, the following data is generated via the Contractor’s software:

• Professional contact and (work) organisational data: e.g. surname, first name, address, email address, telephone number, mobile phone number, company size, title, position, etc.

• Personal contact and identification data: e.g. surname, first name, gender, address, email address, telephone number, mobile phone number, date and place of birth, title, etc.

• Property data: e.g. address, coordinates, year of construction, living space, plot size, asking prices, fixtures and fittings, etc.

4. Group of data subjects

4.1 The group of data subjects whose data the Contractor processes on behalf of the Client cannot be definitively defined, as this depends on the Client’s web forms and the way in which these forms are displayed.

4.2 Normally, the following groups of persons are considered data subjects:

• Employees of the Client/the Data Controller: The Client’s/the Data Controller’s own staff (e.g. employees, trainees, applicants, former employees).

• Customers & suppliers of the client/controller: Persons who have a business relationship with the client (e.g. customers, suppliers)

• External parties: Any person who has no business relationship with the respective company (controlling body) (e.g. visitors, guests, interested parties)

5. Technical and organisational measures

5.1 The Contractor undertakes to the Client to comply with the technical and organisational measures necessary to comply with the applicable data protection regulations. This includes, in particular, the requirements set out in Article 32 of the GDPR.

5.2 The status of the technical and organisational measures in place at the time of conclusion of the contract is attached as Annex 1 to this contract.

5.3 The Contractor shall ensure security in accordance with Article 28(3)(c) and Article 32 of the GDPR, in particular in conjunction with Article 5(1) and (2) of the GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In doing so, account must be taken of the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32(1) of the GDPR (details in Annex 1).

5.4 The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the level of security provided by the specified measures must not be compromised. Significant changes must be documented.

6. Responsibility

6.1 Within the scope of this contract, the Client is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of the transfer of data to the Contractor and for the lawfulness of the data processing (‘Controller’ within the meaning of Article 4(7) of the GDPR). This also applies with regard to the purposes and means of processing set out in this agreement.

6.2 The contractually agreed data processing shall take place exclusively in a Member State of the European Union or in another State party to the Agreement on the European Economic Area, unless data transfer to third countries is necessary for the provision of the service. Any transfer to a third country requires the prior consent of the Client and may only take place if the specific conditions set out in Articles 44 et seq. of the GDPR are met.

7. Processing in accordance with documented instructions

7.1 The instructions are initially set out in the main contract and may subsequently be amended by the Client in writing or in electronic form (text form) by means of individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. The instructions must be documented by both the Client and the Contractor. In the event of proposed changes, the Contractor shall inform the Client of the implications for the agreed services, in particular the feasibility of service provision, deadlines and remuneration.

7.2 If it is unreasonable to expect the Contractor to implement the instruction, the Contractor shall be entitled to cease processing. Unreasonableness shall be deemed to exist in particular where the services are provided within an infrastructure used by several of the Contractor’s clients/customers, and a change to the processing is not possible or not reasonable for individual clients.

8. General obligations of the Contractor

8.1 Where the Contractor is obliged under Article 37 of the GDPR to appoint a data protection officer, the latter shall perform their duties in accordance with Articles 38 and 39 of the GDPR. The Contractor is not obliged under the statutory provisions to appoint a data protection officer, as it employs fewer than 20 persons engaged in the ongoing processing of personal data. No appointment is therefore currently being made. Should the obligation arise in the future, the Contractor shall inform the Client without delay.

8.2 The Contractor shall process personal data exclusively within the scope of the agreements entered into and/or in compliance with any supplementary instructions issued by the Client. This does not apply to statutory provisions which may oblige the Contractor to process data in any other manner. In such a case, the Contractor shall notify the Client of these legal requirements prior to processing, provided that the relevant law does not prohibit such notification on grounds of an important public interest. Otherwise, the purpose, nature and scope of data processing shall be governed exclusively by this contract and/or the Client’s instructions. The Contractor is prohibited from processing data in any manner deviating from this, unless the Client has consented to this in writing.

8.3 The Contractor guarantees the contractual execution of all agreed measures in relation to the processing of personal data in accordance with the contract.

8.4 The Contractor is obliged to organise its business and operational processes in such a way that the data it processes on behalf of the Client is secured to the extent necessary and protected against unauthorised access by third parties.

8.5 The Contractor shall inform the Client immediately if, in its opinion, an instruction issued by the Client contravenes statutory provisions. The Contractor shall be entitled to suspend the execution of the instruction in question until it is confirmed or amended by the Client. Provided the Contractor can demonstrate that processing in accordance with the Client’s instruction may result in the Contractor’s liability under Article 82 of the GDPR, the Contractor shall be free to suspend further processing to that extent until liability between the parties has been clarified.

9. Contractor’s obligations to provide support

9.1 In view of the nature of the processing, the Contractor shall take appropriate technical and organisational measures (Annex 1) to assist the Client in fulfilling its obligation to respond to requests from data subjects pursuant to Articles 12 to 22 of the GDPR.

9.2 Taking into account the nature of the processing and the information available to it, the Contractor shall assist the Controller in complying with its obligations under Articles 32 to 36 of the GDPR. Specifically, this applies to the security of processing, reporting breaches to the supervisory authority, notifying data subjects in the event of a breach, the data protection impact assessment and consultation with the competent supervisory authority. The Contractor is entitled to demand reasonable remuneration from the Client for these services, provided that the assistance was not required due to a breach of law or contract by the Contractor. The Contractor shall provide the Client with cost information in advance.

9.3 If a data subject contacts the Contractor with requests for rectification, erasure or access, the Contractor shall refer the data subject to the Client, provided that the data subject’s details allow for identification of the Client. The Contractor shall forward the data subject’s request to the Client without delay. The Contractor shall assist the Client to the best of its ability. The Contractor shall not be liable if the Client fails to respond to the data subject’s request, or responds incorrectly or late.

10. The Client’s rights of inspection

10.1 The Client shall have the right, in consultation with the Contractor, to carry out audits or to have them carried out by auditors to be appointed on a case-by-case basis. The Client shall have the right to verify the Contractor’s compliance with this Agreement in the course of its business operations by means of spot checks, which shall generally be notified in good time.

10.2 Upon request, the Contractor shall provide the Client with all necessary information to demonstrate compliance with the obligations set out in this contract and Article 28 of the GDPR. In particular, the Contractor shall provide the Client with information regarding the stored data and the data processing programmes.

10.3 Upon request, the Contractor shall provide the Client with appropriate evidence of compliance with the obligations under Article 28(1) and (4) of the GDPR. Such evidence may be provided by means of documents and certificates reflecting approved codes of conduct within the meaning of Article 40 of the GDPR or approved certification procedures within the meaning of Article 42 of the GDPR.

11. Confidentiality

11.1 The Contractor confirms that it is aware of the data protection provisions of the GDPR relevant to the processing of the data. It shall maintain data secrecy and confidentiality when processing the Client’s personal data. This obligation shall continue even after the termination of this contractual relationship.

11.2 The Contractor undertakes to ensure that employees engaged in the performance of the work are made familiar with the data protection provisions applicable to them. The Contractor shall bind these employees by written agreement to maintain confidentiality for the duration of their employment and also after the termination of the employment relationship, unless they are subject to an appropriate statutory duty of confidentiality. The Contractor shall monitor compliance with data protection regulations within its organisation.

11.3 The Contractor may only disclose information to third parties with the prior written consent, or consent in electronic format, of the Client.

12. Contractor’s duty to provide information and breaches of personal data protection

12.1 The Contractor shall immediately inform the Client of any breaches or suspected breaches of this contract or of regulations concerning the protection of personal data.

12.2 The Contractor shall assist the Client in investigating, mitigating and remedying the breaches.

12.3 Should the personal data processed under this Agreement be at risk at the Contractor’s premises due to attachment or seizure, insolvency or composition proceedings, or other events or measures by third parties, the Contractor must inform the Client of this without delay. The Contractor shall also immediately inform all relevant authorities in this regard that control over the data lies with the Client.

12.4 In the event that inspections are carried out by data protection supervisory authorities, the Contractor undertakes to notify the Client of the results insofar as they relate to the processing of personal data under this contract. The Contractor shall immediately remedy any deficiencies identified in the inspection report and inform the Client thereof.

12.5 This clause 10 shall apply mutatis mutandis to incidents arising from processes carried out by subcontractors.

13. Subcontractors

13.1 Subcontractors shall be engaged to carry out the Client’s order. All subcontractors are listed below.

• IONOS SE, Elgendorfer Str. 57, 56410 Montabaur: Hosting of the domain and the server (server location: Germany)

13.2 The Contractor may engage further subcontractors if their services assist the Contractor in fulfilling the contract. The Contractor shall inform the Client in writing of any intended change regarding the engagement or replacement of other subcontractors, thereby giving the Client the opportunity to object to such changes within two weeks. If the Client objects to the changes, both parties shall have the right to terminate the general contractual relationship with immediate effect on the date of the objection. The implementation of extraordinary termination is governed by the Contractor’s General Terms and Conditions. To this end, the Contractor shall provide the Client with the following information in writing: a description of the planned change, the name and address of the subcontractor; the services to be provided by the subcontractor, the nature of the personal data and the category of data subjects.

13.3 The Contractor must contractually ensure that the provisions agreed in this contract also apply to subcontractors. The Contractor’s contract with the subcontractor must be concluded in writing or in electronic format.

13.4 Subcontractors in third countries may only be engaged if the specific requirements of Articles 44 et seq. of the GDPR are met.

13.5 The Contractor shall ensure that the Client has the same rights to issue instructions and exercise control over the sub-contractor as it has over the Contractor under this contract. If a sub-contractor fails to fulfil its data protection obligations, the Contractor shall be liable to the Client for the fulfilment of that sub-contractor’s obligations.

14. Erasure of personal data

14.1 Upon completion of the processing services agreed in the main contract, the Contractor is obliged to erase all personal data received in the course of the processing. This includes, in particular, the results of the data processing, documents and data carriers provided, and copies of the personal data. The obligation to delete data does not apply if the Contractor is legally obliged under EU or Member State law to continue storing the data. If there is a further obligation to store the data, the Contractor must restrict the processing of the personal data and use the data only for the purposes for which there is an obligation to store it. The obligations regarding the security of processing shall continue for the duration of the storage period. The Contractor must delete the data immediately as soon as the obligation to store it ceases to apply.

14.2 The deletion must be carried out in such a way that the data cannot be recovered.

15. Liability

15.1 The Client and the Contractor shall be liable externally under Article 82(1) of the GDPR for material and non-material damage suffered by a person as a result of a breach of the GDPR. If both the Client and the Contractor are responsible for such damage in accordance with Article 82(2) of the GDPR, the parties shall be liable internally for this damage in proportion to their share of responsibility. If, in such a case, a person makes a claim for damages against one party in full or predominantly, that party may demand indemnification or compensation from the other party to the extent corresponding to its share of responsibility.

15.2 The Contractor shall assist the Client with all information at its disposal if the Client is subject to administrative offence or criminal proceedings, a liability claim by a data subject or a third party, or any other claim in connection with the processing of the order by the Contractor.

15.3 The Contractor shall be liable, within the limits of the statutory provisions, for damages arising as a result of culpable conduct in breach of data protection regulations or this Data Protection Agreement.

16. Final provisions

16.1 The defence of a right of retention within the meaning of Section 273 of the German Civil Code (BGB) is excluded in respect of the data processed for the Client.

16.2 Any amendments or ancillary agreements must be in writing or in electronic form. This also applies to amendments to this form requirement.

16.3 Should any provision of this agreement prove to be invalid, this shall not affect the validity of the remaining provisions of the agreement.

Appendix 1: Technical and organisational measures of the Contractor

The Contractor shall implement the following technical and organisational measures for data security within the meaning of Article 32 of the GDPR.

1. CONFIDENTIALITY (Art. 32(1)(b) GDPR)

1.1 Access control

The Contractor shall, among other things, take the following measures to prevent unauthorised access to the data processing facilities used to process or utilise data:

• Multi-level barrier system: access to the building, access to the organisational unit within the building. Different keys are required for access, each of which is available only to those authorised to enter.

• Security locks

• Key management (key issue/return)

• Security check upon leaving the premises

• Visitors and service providers are accompanied

• Video surveillance of the outdoor area

1.2 Access control

The contractor shall, amongst other things, take the following measures to prevent unauthorised persons from using data processing equipment with which data is processed:

• Secure authentication using strong and regularly updated passwords for all systems (development system, server, database, domain management).

• Password policies and password change requirements

• Two-factor authentication (2FA) for access to critical systems

• Use of firewalls and IP blockers at server and database level to prevent unauthorised access and potential threats from unauthorised IP addresses.

• Use of Fail2ban

• Passwords are only stored after being converted using one-way functions (hash functions). Access to the converted password data is secured by authorisation policies and is only permitted for staff with the appropriate level of responsibility.

• Rights and roles concept (need-to-know principle)

• Security locks

• Key management (key issue/return)

• Visitors and service providers are accompanied

• Encryption of mobile storage devices and computers

• Use of antivirus software

1.3 Access control

The contractor shall, amongst other things, take the following measures to prevent unauthorised reading, copying, modification or removal within the system:

• Rights and roles concept (need-to-know principle)

• Number of administrators reduced to the absolute minimum

• Guidelines for passwords and password changes

• Encryption of portable data storage devices and computers

• Proper destruction of physical data storage devices and media (e.g. shredders)

1.4 Separation of duties

The contractor shall, amongst other things, take the following measures to ensure the separate processing of data collected for different purposes:

• Separation of local, development, test and production (live system)

• Rights and roles concept (need-to-know principle)

• Separation of data storage in the form of logical data separation with client-specific accounts

• Encrypted storage of all data submitted via forms created by clients

1.5 Pseudonymisation

The Contractor shall, amongst other things, take the following measures to process personal data, wherever possible, in such a way that it cannot be attributed to an individual without additional information:

• Personal data is encrypted using a random alphanumeric code before being stored in the database

• Appropriate selection of pseudonymisation keys

1.6 Encryption

The Contractor shall, amongst other things, take the following measures to convert plain text into unreadable ciphertext using keys:

• Appropriate choice of encryption (AES-256)

• Encryption of development computers and backups

• Automatic logging of key usage

• Access control (need-to-know principle)

• Secure and fail-safe key management

2. INTEGRITY (Art. 32(1)(b) GDPR)

2.1 Transmission control

The Contractor shall, amongst other things, take the following measures to prevent unauthorised reading, copying, alteration or removal during electronic transmission or transport:

• All data transmissions take place via encrypted protocols (HTTPS) to protect data integrity and confidentiality (SSL encryption of data communication)

• Email encryption in accordance with legal requirements (IMAPS, STMPS, STARTTLS, SSL)

• Prevention of SQL injection and cross-site scripting: use of prepared statements and parameterisation of queries, input validation and sanitisation, use of web application firewalls (WAF)

2.2 Input control

The Contractor shall, amongst other things, take the following measures to ensure that it is possible to subsequently verify and determine whether, and by whom, data has been entered into, modified or removed from data processing systems:

• Logging of all changes (entry, modification and deletion of data) in the code and to data sets

2.3 Data integrity in the event of malfunctions

Ensuring that stored personal data cannot be damaged by system malfunctions:

• Updates, upgrades and patches are installed regularly

• Regular backups are carried out (e.g. servers, databases, code base)

• New software or versions are tested in test environments to prevent such malfunctions.

3. AVAILABILITY AND RESILIENCE (Art. 32(1)(b) and (c) GDPR)

3.1 Availability control

The Contractor shall, amongst other things, take the following measures to ensure that data is protected against accidental or deliberate destruction or loss:

• Regular updates and patch management: Regular updating of all systems (servers, development systems and environments, database software, programming languages, frameworks, antivirus software, etc.) with the latest security patches, following prior testing on the local and development systems.

• Use of firewall and antivirus software to protect against external threats.

• Use of Fail2ban

• Regular backups

• Use of antivirus software

• Use of firewalls

• Conducting internal and external penetration tests at regular intervals

3.2 Recoverability

The contractor shall, amongst other things, take the following measures to ensure that the availability of personal data and access to it can be swiftly restored in the event of a physical or technical incident:

• Drawing up a contingency plan

• Regular backups/redundancies

3.3 Maintenance and updating

• Carrying out automatic and manual tests during development

• Use of test environments prior to the go-live of code changes and updates

• Continuous monitoring of systems with regard to logging and admin notifications in the event of malfunctions during production operations

4. PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATION (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

4.1 Data protection management

• Appointment of a data protection officer, provided the contractor is legally obliged to do so

• Appointment of data protection coordinators, where the size and structure of the contractor’s organisation so require

• Record of processing activities

• Training and awareness-raising measures for employees

• Employee confidentiality obligations

• Defined and documented processes

• Work instructions / policies with a data protection focus

• Regular reviews of technical and organisational measures

4.2 Incident response management

• Definition of duties and responsibilities

• Defined reporting process

• Defined measures for relevant and conceivable scenarios

• Defined escalation procedures

• Up-to-date reporting and contact lists

• Review process for reported incidents and subsequent risk classification where applicable

• Pre-defined responses to the incident

• Reflection and follow-up process

4.3 Privacy-friendly default settings

• Process to ensure privacy by design and by default when changes are made

4.4 Contractual controls

• The responsibilities of the client and the contractor are set out in the main contract

• Ensuring that standard contractual clauses and legal contractual provisions are in place with all sub-service providers

• Safeguarding confidentiality and data privacy