Annex 1

Further Information on the Processing of Customer Data

1
Purpose and extent of Data Processing
Provision of the Lateral Service as a web application, which functions as a platform for assisting in the analysis and creation of content, along with fulfilment of the Processor’s obligations under the Contract.
2
Types of personal data
Contact data; usage data; any data submitted by the Subscriber to the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; password; email; logfiles.
3
Categories of data subjects
Users of the Lateral Service; possibly other data subjects mentioned or included in content submitted by the Customer to the Software.

Annex 2

Technical and organisational measures by the Processor

1
Physical access control
(Art. 32 (1) b) GDPR)
Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used. This term is to be understood spatially.

Technical:
- Data is not physically hosted with us

Org:
- Signed DPAs with all data processors
- Key regulation (key issuance logging)
- Determination of authorised persons for access
- Alarm system / intrusion reporting system
- Video surveillance of access points
- Assignment of minimum authorisations
2
Data usage control
(Art. 32 (1) b) GDPR)
Measures to prevent data processing systems from being used by unauthorized persons.
Technical:
- Usage of document shredders

Org:
- Rules for creating users
3
Data access control
(Art. 32 (1) b) GDPR)
Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization. They should also ensure that personal data cannot be read, copied, changed or removed by unauthorized persons during processing, use and after storage.
Technical:

- Authentication with username / password
- Additional Two-Factor authentication for some systems
- Automated screen locking
- Separation of networks
- Employees lock their work devices during their absences
- Unused devices are locked
- (Deployment of antivirus software)
- Encryption of data carrying devices

Org:

- Signed DPAs with all data processors
- Removal of authorisation when employees leave the company
- Assignment of minimum authorisations to production systems
4
Transmission control
(Art. 32 (1) b) GDPR)
Measures to ensure that personal data cannot be read, copied, changed or removed without authorization during electronic transmission or during transport or storage on data carriers. It should also be ensured that it is possible to check and establish to which bodies personal data are to be transferred by data transfer equipment.
Technical:

- Establishment of VPN tunnels
- Encrypted transmission (SSL/TLS) over public networks
5
Input control
(Art. 32 (1) b) GDPR)
Measures to ensure that it is possible to subsequently check and establish whether and by whom personal data have been entered, modified or removed in data processing systems.
Technical:

- Control over access to enter data in the data processing systems
- Documentation of authorizations to enter data
6
Job control
(Art. 32 (1) b) GDPR)
Measures to ensure that personal data processed by order can only be processed according to the instructions of the client.
Org:

- Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)
- Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR
- Processor has appointed a Data Protection Officer
- Commitment of employees on data secrecy
- In the event of serious breaches, the client will be informed immediately
7
Availability control
(Art. 32 (1) b) GDPR)
Measures to ensure that personal data is protected against accidental destruction or loss
Technical:

- All hosted on Google Cloud (s. DPA)
- Regular backups

Org:

- Fire and smoke detection systems
8
Separation control
(Art. 32 (1) b) GDPR)
Measures that ensure that data collected for different purposes can be processed separately.
Technical:

- Separation of production, testing and development

Org:

- Development of an authorisation concept for data access
9
Encryption
(Art. 32 (1) a) GDPR)
Measures to ensure that when data is transferred internally or externally is protected so that it is only readable using the fitting encryption key.
Technical:

- Encryption of data transferred over public networks
- Encryption of data at rest on laptops / notebooks
10
Data protection management (Privacy by Design)
(Art. 32 (1) d) GDPR)
Measures that ensure the effectiveness of technical and organisational measures in place to ensure the security of processing and processed data.
Org:

- Regular checks of implemented measurements
11
Resilience
(Art. 32 (1) b) GDPR)

Technical:

- Usage of cloud infrastructure which can scale in times of peak demands
12
Restoration of availability
(Art. 32 (1) c) GDPR)

Technical:

- Backup conceptUsage of cloud infrastructure

Annex 3

Approved Subcontractors

1
Amplitude Inc.
631 Howard St.Floor 5
San Francisco, CA 94105, USA
App analytics
2
Asana
1550 Bryant Street, Suite 200
San Francisco, CA 94103, USA
Team Task management, project planning
3
Atlassian
341 George Street
Sydney, NSW 2000, Australia
Wiki, File storage
4
Canny Inc.
831 N Tatnall St Suite M #140
Wilmington, DE 19801, USA
Feature Requests and feature roadmap
5
Calendly LLC
BB&T Tower, 271 17th St NW #1000,
Atlanta, GA 30363, USA
Appointment Booking
6
Cloudflare
101 Townsend St
San Francisco, CA 94107, USA
CDN, Web-infrastructure and website-security
7
DATEV
Paumgartnerstr. 6-14,
90429 Nürnberg, Germany
Accounting, Invoice processing
8
Google Ireland
Gordon House, Barrow Street,
Dublin 4, Ireland
Analytics, File storage, Email, Forms, Secure cloud service platform for database storage, Video conferencing
9
Intercom R&D Unlimited Company
2nd Floor, Stephen Court, 18-21 St. Stephen’s Green
Dublin 2, Ireland
Chat and email support, Onboarding
10
Mailgun
112 E Pecan St. #1135
San Antonio, TX 78205, USA
Transactional Emails
11
Notion Labs, Inc.
548 Market St #74567
San Francisco, CA 94104-5401, USA
Team wiki, team task management, project planning
12
Personio
Rundfunkplatz 4
80335 München, Germany
HR, Application processes
13
Pitch Software GmbH
Joachimstraße 7
10119 Berlin, Germany
Presentations, Decks
14
Sendinblue
55 rue d’Amsterdam,
75008 Paris, France
CRM, Email Marketing, Support, Transactional emails
15
Slack
500 Howard Street
San Francisco, CA 94105, USA
Team messaging and communication
16
Stripe, Inc.
510 Townsend Street
San Francisco, CA 94103, USA
Online payment, Invoicing, Subscriptions
17
Typeform SL
Carrer Bac de Roda, 163
08018 Barcelona, Spain
Forms, Surveys
18
Webflow, Inc.
398 11th Street, 2nd Floor
San Francisco, CA 94103, USA
Website, hosting, contact forms
By clicking “Agree”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.