Data Processing Agreement

Data Processing Agreement

concluded between the customer (“controller”) and

Graystack IT GmbH
Am Pilgerweg 25
3131 Inzersdorf ob der Traisen

– hereinafter referred to as "Graystack"

1. Preamble

1.1 Graystack provides the controller with the SaaS solution Graystack:One. This is a web-based solution for the organization of small and medium-sized enterprises, in particular for warehouse and order management. The parties have concluded a separate agreement for this purpose (hereinafter referred to as the "Main Agreement").
1.2 In connection with the services provided under the main contract, Graystack processes personal data on behalf of the controller. In the area of this data processing, this contract supplements the Main Agreement. Any deviating provisions in this contract take precedence over the provisions of the Main Agreement.
1.3 When processing personal data, the parties shall comply with data protection regulations, in particular the provisions of the General Data Protection Regulation (GDPR) and the applicable national data protection regulations.

2. Subject matter

2.1 The subject matter of this agreement is the processing of personal data in connection with the provision of services under the Main Agreement. The specific processing activity and the technology used are set out in the main contract or the letter of offer.
2.2 Graystack processes the personal data as a data processor within the meaning of Article 28 GDPR. The processing is carried out for the purposes specified in this agreement and in the Main Agreement and exclusively on behalf of the controller.
2.3 The personal data processed under this contract is data that Graystack has collected on behalf of the controller or that has been transmitted to Graystack by the controller for order processing or otherwise made available to Graystack.
 

3. Scope and content of data processing

3.1 The controller has commissioned Graystack to provide the following services (hereinafter referred to as the data application):
Operation of a web-based solution for the organization of small and medium-sized enterprises, in particular warehouse and order management
3.2 This data processing shall take place for the duration of the Main Agreement concluded between the contracting parties.
3.3 Within the scope of the data application, Graystack processes the following data categories:
Master data, contact data, communication data, content data, image data, video data, audio data, order data, billing data
3.4 The data of the following categories of data subjects is processed within the scope of data application:
Customers of the controller; employees of the controller; suppliers and business partners of the controller or other people in a relationship with the controller
3.5 Graystack shall not process the data for any purposes other than those specified in the contract. In particular, it shall not transfer the data to third parties outside the scope of the contract.
3.6 The controller remains solely responsible for the processing of personal data carried out on its behalf. Graystack will therefore only process this data on the instructions of the controller, unless it is obliged to process it otherwise in accordance with legal requirements. However, Graystack shall notify the controller of any such other processing, unless the law prohibits such notification on grounds of an important public interest. The responsibility of the controller relates in particular to ensuring that data processing is lawful in accordance with the contract and instructions, that the principles for the processing of personal data are complied with, and that compliance can be demonstrated.
3.7 The instructions given by the controller to Graystack are set out in the Main Agreement and/or the letter of offer. The controller may amend, replace, or supplement these initial instructions by means of separate in structions. Each instruction must be within the scope of the contract and must be documented. If an instruction is given verbally due to particular urgency, it must be submitted or confirmed in documented form by the controller without delay. In this context, an instruction refers to any requirement relating to the specific data protection handling of the data processed under this contract (e.g., deletion, anonymization, or restriction of data processing).
3.8 If Graystack believes that an instruction violates legal regulations, they shall inform the controller thereof. In such a case, Graystack is entitled to suspend the implementation of the instruction until it has been amended or confirmed by the controller in documented form. If Graystack determines the purposes and means of processing in violation of the controller's instruction, it shall be deemed responsible for such processing.
3.9 Data processing takes place in the member states of the European Union (EU). Graystack is permitted to transfer the processed data to a third country if a level of protection for personal data within the meaning of Chapter 5 of the GDPR – e.g., adequacy decision, appropriate safeguards, standard contractual clauses – is ensured in the respective country.

 4. Obligations of Graystack

4.1 Graystack guarantees that persons who have or may obtain knowledge of the data processed shall undertake in writing to maintain confidentiality prior to processing or gaining knowledge of this data, unless they are already subject to an appropriate statutory duty of confidentiality.
4.2 Graystack shall take appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk on the part of Graystack. To this end, it shall propose appropriate measures and, where necessary, evaluate them with the controller. Measures shall only be necessary if the effort involved is proportionate to the level of protection sought.
4.3 Graystack shall support the controller in complying with the obligations set out in Articles 32 to 36 GDPR (taking technical and organizational measures, security breach notification, preparation of a data protection impact assessment) within Graystack's sphere of influence. If a data subject contacts Graystack, Graystack shall immediately forward the data subject's request to the controller. Without instructions from the controller, Graystack shall not respond to data subject requests itself.
4.4 Upon request, the parties shall provide each other with all information necessary to demonstrate compliance with the obligations laid down in this contract regarding data protection. The same applies to information necessary to demonstrate compliance with the obligations laid down in the legal provisions on data processing. In addition, Graystack shall allow audits, including inspections, to be carried out by the controller or an auditor appointed by the controller. Graystack may object to an auditor who
 competes with it. For inspections that must be carried out on site at Graystack's premises, the controller shall agree on an appointment in good time in advance. Prior to the audit, the controller or auditor shall undertake to maintain confidentiality.
4.5 If Graystack becomes aware of a breach of the protection of personal data processed on behalf of the controller, it shall report this to the controller without delay. The same applies if the data processed on behalf of the controller is affected by seizure or confiscation, insolvency proceedings, or similar measures at Graystack's premises. In the event of imminent danger, Graystack is entitled and obliged to point out that responsibility for the data concerned lies with the controller. The parties shall take appro-
 priate measures to secure the data and mitigate any possible adverse effects, in particular for the data subjects, and shall support each other in documenting this. The parties shall also inform each other about measures taken by a supervisory authority in connection with the processing of the order, to the extent permitted.
4.6 After completion of the data application, Graystack shall either delete or return all personal data at the discretion of the controller, unless there is an obligation to store the personal data under Union law or the law of the Member States.

 5. Obligations of the controller

5.1 The controller shall inform Graystack as soon as possible of any inspection or audit of the data processing by a competent authority in connection with the data processing by Graystack.
5.2 The controller shall inform Graystack as soon as possible of any request by a data subject to exercise their rights.
5.3 The controller shall guarantee to Graystack that all data made available to Graystack in the performance of the agreed services has been collected in accordance with data protection regulations. Furthermore, the controller shall guarantee to Graystack that the data made available to Graystack may be processed lawfully as necessary for the performance of the agreed services under the Main Agreement.

6. Subcontractors

6.1 Graystack is entitled to commissioning or using subcontractors, provided that Graystack informs the controller in advance in writing of any intended change with regard to the involvement or replacement of subcontractors and the controller is free to object to such commissioning or use without giving reasons.
6.2 Graystack is obliged to commit all subcontractors within the meaning of Art. 28 (4) GDPR in writing in accordance with this contract and to transfer all obligations incumbent on Graystack to the subcontractor. In doing so, it must be ensured that the subcontractor undertakes the same obligations as those incumbent on Graystack under this agreement. If the subcontractor breaches its obligations, Graystack shall be liable. The subcontractor may also operate the data application outside the EU or the EEA if a level of protection for personal data within the meaning of Chapter 5 of the GDPR – e.g., adequacy decision, appropriate safeguards, standard contractual clauses – is ensured in the respective country.
6.3 The subcontractor may only commission or use further subcontractors under the conditions set out in point 6.
6.4 The subcontractors currently used are listed below:

List of subcontractors
Graystack uses the following subcontractors for the defined areas of responsibility:
Laravel Holdings Inc.: 60 Broad Street, 24th Floor #1559, New York 10004, United States (Cloud Hosting (Laravel Cloud), Server Monitoring (Nightwatch))
Mailgun Technolo gies Inc.:  112 E Pecan St, #1135, San Antonio, TX, 78205 (Maildelivery)
Stripe Payments Europe, Limited: One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland (Payment Provider)
Freshworks GmbH: Neue Grünstraße 17, 10179 Berlin (Support Ticket Management)