Cozero DPA

Last updated: 09.08.2024

Data Processing Agreement

1. Preamble, Subject-Matter, and Order of Precedence

1.1 This data processing agreement (the "Data Processing Agreement") is an integral part of the Contract between the Customer and Cozero relating to the provision of the Contractual Services.

1.2 This Data Processing Agreement describes how Cozero will Process Personal Data that the Customer provides to Cozero in connection with the Customer’s use of the Contractual Services, in accordance with the requirements of Data Protection Laws.

1.3 In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of the Contract.

2. Definitions

The definitions in the Terms shall also apply to this Data Processing Agreement. Additionally, the following definitions apply:

2.1 "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data (including in connection with providing telecommunication Services and conducting email marketing), and including, without limitation, the GDPR and the German Bundesdatenschutzgesetz (BDSG).

2.2 "Process" or "Processing" means any operation or set of operations which is performed by Cozero as part of the Contractual Services upon /or Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.3 "Subprocessor" means a third-party subcontractor engaged by Cozero which, as part of the subcontractor's role of delivering the Contractual Services, will Process /or Personal Data.

3. Scope, Duration, Type of Data and Categories of Data Subjects

3.1 Under the terms of this Data Processing Agreement, Cozero will Process Personal Data on behalf of Customer in accordance with article 28 GDPR.

3.2 This Data Processing Agreement shall be effective for the duration of Cozero's Contractual Services under the Contract, and shall terminate automatically upon expiration or termination of the Contract for any reason.

3.3 Processing may include the following types/categories of Personal Data: personal information including name or email address, job description, business location affiliation, provided personal pictures, IP address, usage data, device data, referral data, information from cookie and page tags.

3.4 The data subjects concerned by the Processing hereunder are assigned to the following categories: (i) employees of the Customer; (ii) suppliers of the Customer and (iii) business contacts of the Customer.

4. Customer Instructions

4.1 During the Contractual Services, the Customer may provide instructions to Cozero in addition to those specified in this Data Processing Agreement with regard to the Processing of Personal Data (each such instruction hereinafter, a "Processing Instruction") in connection with the Contractual Services. Any Processing Instruction must be in writing or in electronic form. Cozero will Process the Customers Personal Data according to Customers instructions.

4.2 Any Processing Instruction that amends or deviates from the terms of this Data Processing Agreement will constitute a change request with regard to the Terms. Cozero will negotiate in good faith with the Customer with respect to any change in the Contractual Services and/or fees resulting from any Processing Instructions.

4.3 Customer is responsible for ensuring that the Customers Processing Instructions comply with Data Protection Laws.

4.4 If Cozero believes that a Processing Instruction infringes or violates Data Protection Laws, Cozero will immediately inform the Customer thereof.

5. Obligations and Rights of the Customer

5.1 The Customer will be the controller as defined in Article 4 paragraph 7 GDPR. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer has acquired Personal Data.

5.2 The Customer will maintain a record of Processing activities under Customers responsibility in accordance with article 30 GDPR.

6. Cozero’s Obligations

6.1 Cozero will Process Personal Data only on documented instructions by the Customer and solely for the provision of the Contractual and will not otherwise (i) Process or use Personal Data for purposes other than those set forth in the Contract or this Data Processing Agreement or (ii) disclose Personal Data to third parties other than Subprocessors for the aforementioned purposes or as required to do so by Union or Member State law to which Cozero are subject. In such a case, Cozero will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6.2 Cozero will generally Process Personal Data within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area. In some instances, Cozero may also transfer Personal Data to Cozero's third-party service providers located in the United States of America; please see Cozero's List of Subprocessors (available at https://cozero.io/subprocessors) for details on the third-party service providers Cozero use. If, from the Customer's point of view, the performance of a transfer impact assessment should be necessary in the event of Processing of Personal Data in a third country, Cozero will support the Customer in this to a reasonable extent and to the best of its knowledge.

6.3 Cozero will ensure that their personnel engaged in and authorized for the Processing of Personal Data are informed of the confidential nature of the Personal Data and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.4 Cozero has appointed a data protection officer: Anja Ruisinger, Cozero GmbH, Zionskirchstraße 73a, 10119 Berlin. The person may be reached by email via dpo@cozero.io.

7. Technical and Organizational Measures

7.1 When Cozero Processes Personal Data on the Customers behalf, Cozero will take all measures required pursuant to Article 32 GDPR, and have implemented and will maintain certain technical and organizational security measures for the Processing of such data, as such measures are specified in Annex 1. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of Processing.

7.2 All technical and organizational security measures are subject to technical progress and development. Accordingly, Cozero may modify their security measures and/or implement alternative security measures, provided, however, that these do not fall short of the level of security as contractually agreed upon in Annex 1.

8. Customer Audit Rights

8.1 The Customer may, prior to the commencement of the Contractual Services and up to once per year during the performance of the Contractual Services, audit the technical and organizational measures implemented by Cozero. The Customer may perform more frequent audits to the extent required by Data Protection Laws.

8.2 In the course of such audit, the Customer may, in particular, conduct the following measures: (i) the Customer may obtain all such information from Cozero that is necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement; (ii) the Customer may request Cozero to submit to the Customer an existing certificate by a qualified third party auditor and (iii) the Customer may, upon reasonable advance Agreement, during regular business hours and without interfering with Cozero's business operations, conduct an on-site inspection of those parts of Cozero's business facilities where Personal Data is being processed, subject to Cozero's then-applicable security policies.

8.3 To request an on-site inspection, the Customer must submit an inspection plan to Cozero at least two weeks in advance of the proposed inspection date, describing the proposed scope, duration and start date of the inspection. Cozero will review the inspection plan and provide the Customer with any concerns or questions (for example, any request for information that could compromise Cozero's security, privacy, employment or other relevant policies).

8.4 If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within the prior twelve months, the Customer agrees to accept those findings in lieu of requesting an audit of the systems covered by the report.

8.5 The Customer will provide Cozero with any audit reports generated under this section, unless prohibited by law. The Customer may use the audit reports only for the purpose of confirming that Cozero's technical and organizational measures are in compliance with the requirements of this Data Processing Agreement. The audit reports are confidential information of the parties under the terms of the Contract.

8.6 Any audits are at the Customers expense. Any request for Cozero to provide assistance with an audit is considered a separate service.

8.7 If a third party is to conduct the audit, the third party must be mutually agreed to by the Customer and Cozero and must execute a written confidentiality Agreement acceptable to Cozero before conducting the audit.

9. Subprocessors

9.1 Cozero may engage Subprocessors to assist in the Processing of the Customers Personal Data. The Customer gives his prior general authorization to Cozeros use of Subprocessors. A list of Subprocessor is provided under https://cozero.io/subprocessors. Where Cozero intends to add or replace a Subprocessor, Cozero will inform the Customer of such intended change, thereby giving the Customer the opportunity to object to such change. If the Customer doesn’t object within two weeks from Cozero's notification regarding the change of a Subprocessor, it has the same effect as a consent.

9.2 Cozero will ensure that all of their Subprocessors are required to abide by substantially the same obligations as Cozero under this Data Processing Agreement as applicable to their performance of the Contractual Services. Cozero remains responsible at all times for compliance with the terms of this Data Processing Agreement by all Subprocessors engaged in the performance of the Contractual Services to the Customer.

9.3 As far Cozero works with freelancers, who have access to the Customers Personal Data, Cozero ensures that Cozero only collaborates with freelancers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Processing by a freelancer is governed by a Data Processing Agreement which ensures the same data protection standard the Customer and Cozero agreed on. Cozero will provide a list of the freelancers upon request.

10. Rights of Data Subjects

10.1 Where a data subject requests Cozero to correct, delete or block Personal Data, Cozero will pass on such request to the Customer. Cozero will not respond to any requests of data subjects without the Customers prior written consent.

10.2 Where a data subject requests the Customer to correct, delete or block Personal Data or to provide information about the collection, Processing or use of Personal Data in connection with the Contractual Services and the Customer are unable to fulfil the request by itself through Cozero's Website, Cozero will support the Customer in responding to the request and in fulfilling the request by appropriate technical and organisational measures, insofar as this is possible, provided that (i) the Customer instructs Cozero to do so in writing or in text form and (ii) the Customer reimburses Cozero for the cost and expenses incurred in providing such support.

11. Deletion and Return of Data

11.1 Cozero will not create copies or duplicates of the Customers Personal Data without the Customers prior approval. Notwithstanding the preceding sentence, Cozero may (i) create backup copies, to the extent such backup copies are required to ensure the proper Processing of Personal Data, and (ii) prepare and retain copies of Personal Data where required by Cozero to comply with any statutory retention and storage obligations.

11.2 Upon termination of the Contract or at any prior time upon the Customers written request, Cozero will at the Customers choice either delete the Personal Data from Cozero's systems or return such Personal Data to the Customer and delete all copies. Cozero is not liable for any loss or damage following, or as a result of, such deletion or return, and it is the Customers responsibility to ensure that any Personal Data which the Customer requires is backed-up or replicated before deletion or return.

11.3 If, in connection with the Contractual Services, Cozero has received from the Customer any data media containing Personal Data, Cozero will return to the Customer any such data media still in Cozeros possession at the time of termination of the Contract or upon the Customers written request.

11.4 Notwithstanding the above, Cozero will retain only those Personal Data which are required to comply with Cozeros EU law or member state law.

12. Duties to Notify and Further Support

12.1 Cozero will, without undue delay, inform the Customer if the Personal Data becomes subject to (governmental) search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Cozeros control.

12.2 Cozero will, without undue delay, inform the Customer if Cozero determine that (i) the Personal Data has been subject to a security incident (including by a Cozero employee) or (ii) there has been a breach by Cozero (including by a Cozero employee) of Data Protection Laws applicable to the performance of the Contractual Services to the Customer or of any or any of the provisions set forth in this Data Processing Agreement. In such event, Cozero will promptly investigate the security incident or breach and take reasonable measures to identify its root cause and prevent a recurrence.

12.3 In the event that, due to the security incident or breach, the Customer is required to fulfil any disclosure obligations in accordance with Article 33 GDPR, Cozero will support the Customer in fulfilling such obligations, provided that (i) the Customer instructs Cozero to do so in text form and (ii) the Customer reimburses Cozero for its reasonable and documented cost and expenses incurred in providing such support.

12.4 In addition to Cozero's assistance obligations above, Cozero will assist the Customer in ensuring compliance with the Customers obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of Processing and the information available to Cozero, provided that (i) the Customer instructs Cozero to do so in text form and (ii) the Customer reimburses Cozero for its reasonable and documented cost and expenses incurred in providing such support.

13. Changes

13.1 Cozero may change these terms at any time for a variety of reasons, such as to reflect changes in applicable law, to reflect updates to the Contractual Services or the technical and/or organizational measures Cozero employs, and to account for new Services or functionalities.

14. Miscellaneous

14.1 Where individual provisions of this Data Processing Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Data Processing Agreement shall not be affected.

14.2 This Data Processing Agreement is subject to German law. Any disputes arising out of or in connection with this Data Processing Agreement shall be exclusively submitted to the courts of Berlin.

14.3 This DPA is bindingly agreed between the Parties without separate signature as follows: In case of a conclusion of contract in paper form by an explicit reference to the Terms of Service; in case of a conclusion of contract online by a link to the Terms of Service.

Annex 1 - ​Technical and organizational measures to ensure the security of processing

  1. Measures to ensure confidentiality

1.1 Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.

Description of physical access control:

  • Safety locks on doors
  • Careful selection of cleaning staff
  • Admission management: authorized personnel and scope of authorization are pre-defined
  • Careful selection of security staff
  • Further measures by service provider

1.2 Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.

Description of logical access control system:

  • Limitation of the number of authorized employees
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
  • User rights are granted restrictively
  • All log-ons / log-offs are recorded
  • Use of central password policy

1.3 Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.

Description of data access control:

  • Limitation of the number of authorized employees
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
  • All data access is logged automatically
  • Small number of system administrators
  • Records and log files are analyzed regularly

1.4 Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.

Description of the separation control process:

  • Systems allow for data segregation (multi-tenancy), data is segregated by software
  • Productive systems and test systems are separated from each other
  • Data sets can be accessed only through those applications which have been pre-defined
  • Database user rights are issued and managed centrally

1.5 Pseudonymization measures

Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures.

Description of the pseudonymization:

  • none due to work on a central server system
  1. Measures to ensure integrity

2.1 Transmission and transport control

Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.

Description of the transmission and transport control:

  • HTTPS
  • Unnecessary printouts are terminated
  • No use of physical data carriers
  • Comprehensive logging procedures
  • No use of private data carriers at work

2.2 Input control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.

Description of the input control process:

  • Logging of all system activities and keeping of these logs for at least six months
  • Use of central rights management for entering, altering and deleting data
  1. Measures to ensure availability and resilience

3.1 Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

Description of the availability control system:

  • Backups are taken on a regular basis and kept for 120 days
  • Backup and recovery plan is in place
  • Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers
  • Localisation
  • Additionally diverse measure of server service providers

3.2 Quick recovery

Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.

Description of the measures for quick recovery:

  • Data backup procedure
  1. Measures for the regular testing and evaluation of the security of data processing

Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller.

Description of the order control measures:

  • Involvement of data protection officers for all data protection-related questions
  • Formalized processes for data privacy incidents