Data Processing Agreement

Contract for commissioned processing pursuant to Article 28 (3) of the General Data Protection Regulation ("GDPR")

b e t w e e n

Client of the Hintbox

as the Controller (herein referred to as "Principal")

a n d

lawcode GmbH Universitätsstraße 3, 56070 Koblenz, Germany

as Processor (herein referred to as "Contractor")

(together referred to as the "Parties")


The Principal shall commission the Contractor with the services specified in Section 2 of this Agreement. Part of the execution of the agreement is the processing of personal data in connection with the digital whistleblower system Hintbox and/or the Ombuds Solution. The Contractor's Information Security Management System ("IS-MS") is ISO 27001 certified. In particular, Article 28 GDPR imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties enter into the following Agreement.

1. Subject and duration of the order

(1) Subject

The subject matter of the order results from the Performance Description and the terms of use which the parties have concluded with the purchase of the license of the Hintbox and/or the Ombuds Solution and to which reference is made herein (together "Performance Agreement").

(2) duration of the order

The duration of this contract corresponds to the term of the Performance Agreement.

2. Concretization of the content of the order

(1) Nature and purpose of the intended processing of data

The Contractor shall provide the Hintbox to the Principal as a digital whistleblowing system as a Software as a Service solution for use by the Principal. This enables, among others, employees, suppliers and business partners of the Principal to submit reports on violations of law and irregularities to the Principal via the Hintbox. The Principal can communicate with the whistleblower via the Hintbox and process the reports.

If booked by the Principal, the Contractor shall provide the Principal with the Ombuds Solution for the administration of digital whistleblower systems of clients/customers of the Principal.

In both cases, the Principal acts as the Controller and determines the purposes and means of data processing. The Contractor shall manage the digital platform.

The provision of the contractually agreed data processing shall take place exclusively in Germany, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Principal and may only take place if the special requirements of Article 44 et seq. GDPR are fulfilled.

(2) Type of data

The subject of personal data processing are the following types/categories of data: Contact and identification data (e.g. first and last name, addresses, etc.); data on violations of the law and irregularities in connection with a report; information on the payment of the Ombuds Solution.

(3) Categories of persons concerned

The categories of data subjects affected by the processing include: Employees; Suppliers; Business Partners; Customers; Contacts; Sales Representatives; Interested Parties.

3. Technical-organizational measures

(1) The Contractor shall document the implementation of the technical and organizational measures set out and required in the run-up to the awarding of the contract before the start of the processing, in particular with regard to the specific execution of the contract, and shall hand them over to the Principal for inspection. The documented measures shall become the basis of the order. Insofar as the inspection/audit of the Principal reveals a need for adaptation, this shall be implemented by mutual agreement.

(2) The Contractor shall establish security pursuant to Article 28 Para. 3 lit. c, 32 GDPR, in particular in connection with Article 5 Para. 1, Para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account. Further details can be found in Annex 1.

(3) The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures. In doing so, the security level of the specified measures may not be undercut. Significant changes shall be documented.

4. Correction, restriction and deletion of data

The Contractor may not correct, delete or restrict the processing of data processed on its own authority, but only in accordance with the documented instructions of the Principal. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Principal without delay.

5. Quality assurance and other obligations of the contractor

In addition to compliance with the provisions of this Order, the Contractor shall have statutory obligations pursuant to Articles 28 to 33 of the GDPR; in this respect, the Contractor shall in particular ensure compliance with the following requirements:

a) a) The Contractor's data protection officer is Mr. Andreas Weber, phone.: +49 261 988 03 700,

b) Maintaining confidentiality in accordance with Article 28 (3) Sentence 2 lit. b, 29, 32 (4) GDPR. When carrying out the work, the Contractor shall only use employees who have been obligated to maintain confidentiality and who have been familiarized with the relevant provisions on data protection beforehand. The Contractor and any person subordinate to the Contractor who has access to personal data may process such data exclusively in accordance with the instructions of the Principal, including the powers granted in this Agreement, unless they are required by law to process such data.

c) The implementation of and compliance with all technical and organizational measures required for this order in accordance with Article 28 Para. 3 Sentence 2 lit. c, 32 GDPR as per Annex 1.

d) Upon request, the Principal and the Contractor shall cooperate with the Supervisory Authority in the performance of its duties. In such a case, the Contractor may demand reasonable remuneration.

e) The immediate information of the Principal about control actions and measures of the supervisory authority, insofar as they relate to this order. This shall also apply insofar as a competent authority investigates the processing of personal data in the course of administrative or criminal proceedings at the Contractor.

f) Insofar as the Principal is exposed to an inspection by the supervisory authority, to administrative or criminal proceedings, to a liability claim by a data subject or a third party or to any other claim in connection with the Order Processing at the Contractor, the Contractor shall support the Principal to the best of its ability. In such a case, the Contractor may demand appropriate remuneration.

g) The Contractor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is ensured.

h) Verifiability of the technical and organizational measures taken vis-à-vis the Principal within the scope of its control powers pursuant to Section 7 of this Agreement.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Contractor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor shall be obligated to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure data protection and data security of the Principal's data, even in the case of outsourced ancillary services.

(2) The Principal already agrees to the assignment of the following subcontractor under the condition of a contractual agreement in accordance with Article 28 (2-4) of the GDPR:

Company subcontractor AAddress/Country Service
Hetzner Online GmbH Industriestraße 25
91710 Gunzenhausen
Phone: +49 (0)9831 505-0
Fax: +49 (0)9831 505-3
Provision of server capacity (hoster) for the personal data stored and processed in the Hintbox and/or the Ombuds Solution.
DeepLGmbH Maarweg 165
50825 Köln
Fax: +49 221 95491533
Provision of an AI for the linguistic translation of customer content (legal texts, e-mail texts, cate-gories and processes) and incoming reports (data transmission in encrypted form to DeepL GmbH only takes place if the admin/manager of the case has expressly agreed to this in ad-vance).
Telekom Deutschland GmbH (Open Telekom Cloud) Landgrabenweg 151
53227 Bonn
Hosting/backup of en-crypted data in the Hint-box for the purpose of co-location as part of the Contractor's business continuity management.
Only if the principal has also booked the digital whistleblower-hotline (optional):
inopla GmbH
Reisholzer Werftstr. 31
40589 Düsseldorf
Phone: +49(0)211 - 36 76 4000
Fax +49(0)211 - 36 76 4010
Provision of telephone numbers and digital an-swering of calls with au-tomatic transfer to the Hintbox.

Outsourcing to additional subcontractors or changing the existing subcontractor is permissible to the extent:

  • the Contractor notifies the Principal of such outsourcing to subcontractors in writing or text form a reasonable time in advance; and

  • the Principal does not object to the planned outsourcing in writing or in text form to the Contractor by the time the data is transferred; and

  • a contractual agreement in accordance with Article 28 (2-4) of the GDPR is used as a basis.

(3) The transfer of personal data of the Principal to the subcontractor and its initial activity shall be permitted only after all requirements for subcontracting have been met.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures in accordance with Article 44 et seq. GDPR. The same shall apply if service providers within the meaning of Paragraph 1 Sentence 2 are to be used. Any relocation to a third country requires the prior consent of the Principal.

(5) Any further outsourcing by the subcontractor shall require the express consent of the main contractor (at least in text form); all contractual provisions in the contractual chain shall also be imposed on the further subcontractor.

7. Control rights of the Principal

(1) The Principal shall have the right, in consultation with the Contractor, to carry out inspections at the Contractor's premises or to have such inspections carried out by an inspector to be named in the individual case. It shall have the right to satisfy itself of the Contractor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.

(2) The Contractor shall ensure that the Principal can satisfy itself of the Contractor's compliance with its obligations pursuant to Article 28 of the GDPR. The Contractor undertakes to provide the Principal with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures pursuant to Annex 1.

(3) Evidence of such measures, which not only relate to the specific order, can be provided in the form of current certificates, reports or report extracts from independent bodies (e.g. tax advisors, auditors, auditors, data protection officers or data protection officers, IT security departments, data protection auditors, quality auditors).

(4) The Contractor may claim an appropriate amount of remuneration for enabling the Principal to carry out inspections and for the performance of such inspections.

8. Support obligations of the contractor

(1) The Contractor shall support the Principal in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. These include but are not limited to:

a) ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected likelihood and severity of a possible security breach and allow for the immediate detection of relevant breach events;

b) the obligation to report personal data breaches to the Principal without undue delay;

c) the obligation to support the Principal within the scope of his duty to inform the data subject and to provide him with all relevant information in this context without delay;

d) the support of the Principal for its data protection impact assessment;

e) assisting the Principal in prior consultations with the Supervisory Authority.

(2) The Contractor may claim compensation at a reasonable rate for support services not included in the Performance Agreement or not attributable to Contractor misconduct.

9. Authority of the Principal to issue instructions

(1) The Contractor shall process the personal data exclusively in accordance with the instructions of the Principal.

(2) The Principal shall confirm verbal instructions to the Contractor without delay (at least in text form).

(3) The Contractor shall inform the Principal without delay if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Principal.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall not be made without the knowledge of the Principal. Exceptions to this are security copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory retention obligations.

(2) After completion of the contractually agreed work or earlier upon request by the Principal - at the latest upon termination of the Performance Agreement - the Contractor shall hand over to the Principal all documents, processing and utilization results created and data files related to the contractual relationship that have come into its possession or, with the prior express consent of the Principal, destroy them in accordance with data protection regulations. The same shall apply to test and output material. The protocol of the deletion shall be submitted upon request.

(3) Documentation that serves as proof of the proper processing of data in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods.

11. Liability

Liability for commissioned processing is governed by Article 82 GDPR. In all other respects, liability is governed by the Performance Agreement.

12. Final provisions

(1) Amendments and supplements to this agreement must be made in text form.

(2) Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions in each case.

(3) In the event of a conflict with regard to commissioned processing under data protection law, the provisions of this Agreement shall take precedence over the provisions of the Performance Agreement.

(4) This agreement is subject to German law. The exclusive place of jurisdiction shall be the Contractor's registered office.

Annex 1: Technical-organizational measures

1. Confidentiality (Article 32 Abs. 1 lit. b GDPR)
  • Access control

    The German data center is comprehensively secured by entry controls and security mechanisms to prevent unauthorized access to data processing facilities (including alarm system, security guard, logging of access, etc.). Access is only permitted to authorized employees. In addition, the Contractor's offices are secured by means of keys, among other things.

  • Access controll („Zugangskontrolle")

    • The Contractor uses strong and complex passwords to prevent unauthorized use of the system.

    • All data related to the reports and their communication are encrypted end-to-end.

    • The databases are encrypted using AES-256 encryption.

    • 2-factor authentication for the HINTBOX and the Ombuds Solution.

    • A firewall is deployed and there is comprehensive malware protection on workstations and servers.

    • Encryption of hard drives.

    • Technical lockout of workstation when not active.

    • TLS (Transport Layer Security) encryption on the website ("").

    • VPN-network

  • Access control ("Zugriffskontrolle") No unauthorized reading, copying, modification or removal within the Contractor's system. This is ensured by an authorization concept in the form of an access control policy (in accordance with ISO 27001). This provides for a process for granting access within the Contractor. The need-to-know principle applies. Access from special security areas (development and IT operations) is subject to even more stringent approval procedures (including the four-eyes principle, separate security check of the applicant by the respective asset owner). Increased password protection has been implemented.

  • Separation control

    • The databases of the respective customers are administered separately.

    • Multi-client capability.

    • Separate storage of customer data.

    • Separation of development, test and production systems.

  • Pseudonymization (Article 32 Abs. 1 lit. a GDPR; Article 25 Abs. 1 GDPR)

    The data in the HINTBOX and the Ombuds Solution are encrypted. This means that the encrypted data in the HINTBOX and the Ombuds Solution cannot be de-pseudonymized with data from third parties and no personal reference can be made.

2. Integrity (Article 32 Abs. 1 lit. b GDPR)
  • Transfer control No unauthorized reading, copying, modification or removal during electronic transmission or transport due to industry-standard SSL encryption. In addition, there is encryption of the devices.

  • Input control Modifications by changes, insertions and deletions are logged in an index of the Hintbox in an audit proof manner. Deletion of the reports and the corresponding index is only possible after passing through the dual control principle (Manager + Admin or Admin + Admin).

    Modifications by the Contractor are only possible for the responsible asset owner according to a dual control principle and are logged.

3. Availability and resilience (Article 32 Abs. 1 lit. b GDPR)
  • Availability control Back-ups of the HINTBOX and the Ombuds Solution are made daily to minimize data loss. We use industry standard virus protection.

    The host provider Hetzner (ISO 27001 certified) uses a comprehensive UPS and implements further protective measures (firewall, reporting channels and emergency plans).

  • Rapid recoverability (Article 32 Abs. 1 lit. c GDPR);

    Restoring data from the backup can be done within a few minutes. Documentation in the ticket system.

4. Procedures for regular review, assessment and evaluation. (Article 32 Abs. 1 lit. d DSGVO; Article 25 Abs. 1 GDPR)
  • The Contractor has implemented a comprehensive data protection management system, in particular a GDPR policy, processing directory, appointed a data protection officer, training and awareness raising of employees are conducted regularly, etc.

  • The Contractor has implemented an IS-MS in accordance with the requirements of ISO 27001.

  • The Contractor have audited its IS-MS by an independent auditor based on the requirements and, in particular, the controls of ISO 27001 once a year; otherwise on an ad hoc basis.

  • Incident response management in accordance with the requirements of the GDPR as well as ISO 27001 has been implemented.

  • The Contractor has designed and programmed the default setting of the Hintbox in such a way that only such data is processed as is necessary for the processing purpose (= clarification of compliance reports). Even the fields of the input mask are limited to what is absolutely necessary. In addition, whistleblowers can also submit their reports anonymously. The settings of the Hintbox are designed in such a way that no IP addresses or other device data are tracked in order to ensure the confidentiality/anonymity of the whistleblowers. The reports are also encrypted end-to-end. Only the admin can invite managers to a case or to the Hintbox (with 2-factor authentication).

  • Order control

    The Contractor shall regularly evaluate its data protection management system and regularly assure itself of the data protection reliability of its subcontractors and suppliers. The Contractor controls this via its supplier management in accordance with the requirements of ISO 27001.